Samba shares for home server

I’ve got a file server at home where I store both shared files (which should be available to everyone on my network), as well as private files (which must be readable only by my user). These are my notes on how I set it up.

The private directory

We’ll start with the private directory because it’s a lot easier.

Requirements:

  • only I can read and write files and directories, and
  • same user is used for creating files on the server and over SMB.

First, let’s create the directory:

sudo mkdir /data/private
sudo chown andrei:andrei /data/private
sudo chmod 750 /data/private

Now we’ll need to add the andrei user to Samba’s smbpasswd file.

sudo smbpasswd -a andrei

And now the Samba config (note that some of these options may be set to their defaults, but I prefer to be explicit):

[private]
comment = My private files
path = /data/private
browsable = no             ; don't list it in available shares
public = no                ; will require a password
writeable = yes            ; the inverse of 'read only'
create mask = 0640
directory mask = 0750

The shared directory

For a shared directory, I require that anyone on the network can

  • read all files,
  • write to all existing files,
  • create new files and directories,
  • delete any files, and
  • do all of the above with files created by other users on the server (e.g. using rsync/ssh).

To accomplish the above, we’ll need to ensure all files are created with the correct permissions, and they continue having the correct permissions the entire time; i.e. we don’t want someone setting permissions that make the files unreadable by other, even accidentally.

First, let’s create the directory:

sudo mkdir /data/shared
sudo chown nobody:sambashare /data/shared
sudo chmod 2770 /data/shared     # setting gid

Now we’ll want to add our system user to the sambashare group so we can read/write to that directory outside of Samba:

sudo adduser andrei:sambashare

To test this, you can reload your user’s groups in a shell using:

su - $USER

And now for the samba config

[shared]
comment = Shared files
path = /data/shared
browseable = yes
public = yes
writeable = yes
; inherit permissions ensures new directories are 770 and files are 660
; because the /data/shared is 770
inherit permissions = yes
guest account = nobody
force group = sambashare
; map * ensures the executable bit isn't set on files
map archive = no
map system = no
map hidden = no

Since the GID bit was set on /data/shared, then new directories and files should be owned by andrei:sambashare when created by logging into the server over SSH, but Samba will enforce they’re owned by nobody:sambashare. There are still cases where “new” files or directories will have incorrect permissions; e.g. if using mv to move them from somewhere else (since it’ll try to maintain the existing file permissions, since you’re not really creating a new file but moving an existing file).

To ensure all files always have the correct permissions, you may find you need to write a cron job that fixes permissions periodically.

Published on November 10, 2021.