creating password-protected shares with Samba 3.x on FreeBSD 6.x
Jan 3, 2010

The procedure below creates a network volume which can be accessed by multiple users, but only if they have authenticated. It implements Samba's user-level security; the resulting volume works similarly to a share on a Windows system, where permissions to the share are restricted to certain users or groups. This kind of setup is useful for a business environment, where a shared, central and secure space is required.

However, the procedure below does not use or define a Windows domain, and is thus best suited for businesses with a single server (or a series of standalone servers) where domains are not used. In particular, as domains are not used, a "single sign-on" is not possible. In a small business environment, this is not likely to pose a problem, however when multiple servers are deployed, password management and synchronisation can become an issue. If you have multiple servers, see creating a PDC and creating a member server.

In addition to the shared volume, the procedure below also defines a home directory for each user, which only they can access. This private network space is useful for storing files, which should not be shared, in a central location.

See also: troubleshooting Samba

Process:

  1. Install and configure Samba:

    1. cd /usr/ports/net/samba3
    2. make install clean (this requires a live internet connection, and takes a while)
    3. from Samba's install options, select at least: SYSLOG, UTMP, PAM_SMBPASS, POPT, PCH (and CUPS if you want to use the PDC as a printserver)
    4. cd /usr/local/etc
    5. cp smb.conf.default smb.conf
    6. chmod 644 smb.conf
    7. vi /usr/local/etc/smb.conf
    8. In the [global] section, set the security mode to user
    9. in the [global] section, set domain master and preferred master to Yes
    10. In the [global] section, set os level = 255

      Note: these last three settings will cause this server to become the master browser on your LAN. Only one server should be the master browser. Do not set these on more than one server.

    11. Create a section for the share (do this in the "share definitions" section):
      [private]
      comment = description of the share (optional)
      path = /data/smbspace
      read only = no
      valid users = testuser
      

      If more than one user will be accessing the share, it's possible to include a unix user group in the 'valid users' line. For example, this will give access to the share to all users in the 'staff' group:

      valid users = @staff
      
    12. save the changes and exit the editor

  2. Create a share directory, and set permissions:
    mkdir /data/smbspace
    chgrp -R staff /data/smbspace
    chmod -R 770 /data/smbspace
    

    The user must be a member of a group which has permissions to the share. In the example above, user 'testuser' must be a member of the 'staff' group in order to gain access. To create a new 'staff' group, use this command:

    pw groupadd staff
    

    Note: this uses the FreeBSD-specific pw command (docs: manpage)

  3. If multiple users will be sharing files, add these to the section of smb.conf which defines the share:
    create mask = 0660
    directory mask = 0771
    

    This gives all users the ability to read, write and delete all files and directories on the share, created by any user.

  4. For each user of the share, create unix user accounts:
    pw useradd -n testuser -s /sbin/nologin -c "Test User" -g staff -m
    

    The example above creates a user called 'testuser' and adds it to the 'staff' group. Unless otherwise desired, the unix user account should be set to "nologin". This does not prevent users from accessing the share, but it does stop them logging in with telnet, etc. Note that -c is the comment field, this is used by XP to put at the top of the start menu, eg. "Test User". Also note that no password is defined for the unix user account, that's OK as the account is set to "nologin". Lastly, note that the -m tells pw to create the user's home directory - if you're not creating home directories, remove it.

  5. Configure /etc/rc.conf to enable Samba on boot:
    echo samba_enable=\"YES\" >> /etc/rc.conf
    
  6. Reboot

    A reboot is recommended here. This will put the Samba binaries into the path, and verify that Samba starts automatically. Don't forget to log back in as root before continuing.

  7. For each user of the share, create SMB user accounts:
    smbpasswd -a testuser
    

    The users must exist on the system already (eg. a unix user account must exist for each Samba user). The SMB password can be different to the unix user account password.

Notes: