Samba on Linux: Complete File Sharing Setup Guide for Windows and Linux Clients

Samba is the open-source implementation of the SMB/CIFS network file sharing protocol, enabling Linux servers to share files and printers with Windows, macOS, and other Linux machines as if they were native Windows network drives. Beyond simple file sharing, Samba can join an Active Directory domain, act as an AD domain controller, and provide seamless file access to thousands of Windows clients using their existing domain credentials. This guide covers setting up Samba file shares on Linux, configuring per-share permissions, adding Samba users, connecting Windows and Linux clients, and joining an Active Directory domain.

Table of Contents

• Samba Architecture: smbd, nmbd, and winbindd
• Installing Samba on Linux
• Configuring smb.conf: Global Settings
• Creating a Public (Guest) File Share
• Creating Authenticated File Shares
• Adding Samba Users and Managing Passwords
• Firewall Configuration
• Connecting from Windows Clients
• Connecting from Linux and macOS Clients
• Joining Samba to Active Directory as a Member Server
• Permissions: Linux Ownership vs Samba ACLs
• Monitoring with smbstatus and Logs
• Troubleshooting Common Issues

Samba Architecture: smbd, nmbd, and winbindd

Samba consists of three main daemons that handle different responsibilities:

• smbd: The core file and printer sharing daemon. It handles SMB protocol connections, authentication, and all file I/O operations. This is the process you must have running for any file sharing.
• nmbd: NetBIOS name service daemon. It handles legacy NetBIOS name resolution and browsing (appearing in Windows Network Neighborhood). Less critical on modern networks using DNS, but still needed for some Windows discovery features.
• winbindd: The AD/domain integration daemon. Required when the Samba server joins an Active Directory domain — it handles user and group name resolution from the domain, mapping AD identities to local Unix UIDs/GIDs.

Installing Samba on Linux

# RHEL / Rocky Linux / AlmaLinux
dnf install -y samba samba-client samba-common

# Ubuntu / Debian
apt install -y samba samba-client cifs-utils

# Enable and start services
systemctl enable --now smb nmb      # RHEL/Rocky
# or
systemctl enable --now smbd nmbd    # Ubuntu/Debian

# Verify Samba is listening
ss -tlnp | grep smbd
testparm -s    # Validate smb.conf syntax and show effective configuration

Configuring smb.conf: Global Settings

The main configuration file is /etc/samba/smb.conf. Start by backing up the default and writing a clean configuration.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

cat > /etc/samba/smb.conf << 'CONF'
[global]
    workgroup = WORKGROUP          # Must match your Windows workgroup or AD domain NetBIOS name
    server string = File Server %h
    netbios name = FILESERVER      # Hostname as seen by Windows clients

    # Security — use 'user' for local users, 'ads' for Active Directory
    security = user
    passdb backend = tdbsam

    # Logging
    log file = /var/log/samba/log.%m
    max log size = 1000
    log level = 1

    # Performance
    socket options = TCP_NODELAY IPTOS_LOWDELAY
    use sendfile = yes
    aio read size = 16384
    aio write size = 16384

    # Disable printing if not needed
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # Modern SMB settings — disable legacy SMB1 completely
    server min protocol = SMB2
    client min protocol = SMB2
CONF

Creating a Public (Guest) File Share

A public share allows any user on the network to read (and optionally write) files without providing credentials. Useful for software distribution or internal media libraries.

# Create the directory
mkdir -p /srv/samba/public
chmod 0777 /srv/samba/public
chown nobody:nobody /srv/samba/public

# Add to smb.conf
cat >> /etc/samba/smb.conf << 'CONF'

[public]
    comment = Public Share
    path = /srv/samba/public
    browseable = yes
    read only = no
    guest ok = yes
    create mask = 0664
    directory mask = 0775
CONF

# Reload Samba configuration
systemctl reload smb    # RHEL/Rocky
# or
smbcontrol smbd reload-config

Creating Authenticated File Shares

# Create directories with appropriate ownership
mkdir -p /srv/samba/data
mkdir -p /srv/samba/hr
chown -R root:smbusers /srv/samba/data
chmod 2770 /srv/samba/data    # setgid bit: new files inherit group

# Create a group for Samba share access
groupadd smbusers

cat >> /etc/samba/smb.conf << 'CONF'

[data]
    comment = Shared Data
    path = /srv/samba/data
    browseable = yes
    read only = no
    valid users = @smbusers     # Only users in smbusers group
    create mask = 0664
    directory mask = 0775
    force group = smbusers

[hr]
    comment = HR Department Files
    path = /srv/samba/hr
    browseable = no             # Hidden from browse list
    read only = no
    valid users = alice, bob, @hr-team
    write list = @hr-team
    create mask = 0660
    directory mask = 0770
CONF

Adding Samba Users and Managing Passwords

Samba maintains its own password database separate from Linux system passwords. A user must exist as a Linux system user before being added to Samba.

# Create Linux user (no shell access needed for file sharing only)
useradd -M -s /sbin/nologin alice
usermod -aG smbusers alice

# Add user to Samba's password database and set password
smbpasswd -a alice
# Prompts for Samba password (can differ from Linux password)

# Enable the Samba account
smbpasswd -e alice

# Disable a Samba account (without deleting it)
smbpasswd -d alice

# List all Samba users
pdbedit -L -v

# Change a Samba password
smbpasswd alice

Firewall Configuration

# firewalld (RHEL/Rocky)
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

# UFW (Ubuntu)
ufw allow samba

# iptables/nftables — Samba ports:
# 137/UDP — NetBIOS name service (nmbd)
# 138/UDP — NetBIOS datagram service
# 139/TCP — NetBIOS session service (legacy SMB)
# 445/TCP — SMB over TCP (modern, primary port)

# Restrict to a specific subnet for security
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="samba" accept'

Connecting from Windows Clients

# Option 1: Map a network drive via Explorer
# Open File Explorer → This PC → Map network drive
# Folder: \\fileserver\data  (or \\192.168.1.50\data)
# Check "Connect using different credentials" if different from Windows login

# Option 2: Windows command line
net use Z: \\fileserver\data /user:alice
# Prompts for Samba password

# Option 3: Persistent mapping
net use Z: \\fileserver\data /user:alice /persistent:yes

# Browse available shares on a server
net view \\fileserver

Connecting from Linux and macOS Clients

# List shares on a Samba server
smbclient -L //192.168.1.50 -U alice

# Connect interactively (like an FTP-style client)
smbclient //192.168.1.50/data -U alice

# Mount a Samba share on Linux (cifs-utils required)
mount -t cifs //192.168.1.50/data /mnt/data \
  -o username=alice,password=secret,uid=$(id -u),gid=$(id -g),vers=3.0

# Persistent mount in /etc/fstab
echo "//fileserver/data  /mnt/data  cifs  credentials=/etc/samba/alice.creds,uid=1001,gid=1001,vers=3.0,_netdev  0  0" >> /etc/fstab

# Credentials file (keep permissions tight)
cat > /etc/samba/alice.creds << 'CREDS'
username=alice
password=secret
domain=WORKGROUP
CREDS
chmod 600 /etc/samba/alice.creds

# macOS: Connect via Finder → Go → Connect to Server
# smb://fileserver/data

Joining Samba to Active Directory as a Member Server

# Install required packages
dnf install -y samba samba-winbind samba-winbind-clients oddjob-mkhomedir    # RHEL/Rocky
apt install -y samba winbind libnss-winbind libpam-winbind    # Ubuntu

# Configure smb.conf for AD membership
cat > /etc/samba/smb.conf << 'CONF'
[global]
    workgroup = EXAMPLE              # AD NetBIOS domain name
    realm = EXAMPLE.COM             # AD realm (Kerberos)
    security = ads
    kerberos method = secrets and keytab
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    idmap config * : backend = tdb
    idmap config * : range = 10000-999999
    idmap config EXAMPLE : backend = rid
    idmap config EXAMPLE : range = 1000000-1999999

[data]
    path = /srv/samba/data
    valid users = @"EXAMPLE\Domain Users"
    read only = no
CONF

# Join the domain (requires AD admin credentials)
net ads join -U administrator@EXAMPLE.COM

# Start winbindd
systemctl enable --now winbind

# Verify domain join
net ads testjoin
wbinfo -u    # List domain users
wbinfo -g    # List domain groups

Permissions: Linux Ownership vs Samba ACLs

# Samba translates between Linux POSIX permissions and Windows ACLs
# The create mask / directory mask settings control permissions on new files

# View effective permissions Samba will apply to a share
testparm -s --parameter-name="path" --section-name="data"

# For fine-grained ACLs matching Windows behavior, enable POSIX ACLs on the filesystem
# Then install the samba-vfs-glusterfs or use xattr-based ACL support:
dnf install -y samba-vfs-cephfs    # or samba-winbind

# Set a POSIX ACL so the hr-team group has full access
setfacl -R -m g:hr-team:rwx /srv/samba/hr
setfacl -R -m d:g:hr-team:rwx /srv/samba/hr    # Default ACL for new files

# Check ACLs
getfacl /srv/samba/hr

Monitoring with smbstatus and Logs

# Show all current Samba connections and open files
smbstatus

# Show only connections (no file list)
smbstatus -S

# Show locked files
smbstatus -L

# Watch connection count in real time
watch -n 5 'smbstatus -S | grep -c CONNECTED'

# Log files location
ls -lh /var/log/samba/
# log.smbd — main smbd log
# log.nmbd — nmbd log
# log. — per-client logs

# Increase log verbosity temporarily for debugging
smbcontrol smbd debug 5    # Level 5 = verbose; default is 1

Troubleshooting Common Issues

# "NT_STATUS_LOGON_FAILURE" — wrong Samba password or account disabled
smbpasswd -e username    # Re-enable account
pdbedit -L | grep username    # Verify account exists

# "NT_STATUS_ACCESS_DENIED" — permission problem
# Check Linux filesystem permissions on the share path:
ls -la /srv/samba/data
# Check smb.conf valid users / write list settings
testparm -s    # Review effective configuration

# Windows can't see the server in Network Neighborhood
systemctl status nmb    # Verify nmbd is running
# Try accessing by IP instead: \\192.168.1.50\data

# SMB1 client can't connect (legacy Windows XP or old NAS devices)
# In smb.conf [global], temporarily add:
# server min protocol = NT1
# (Re-enable only if absolutely required — SMB1 is insecure)

# AD join fails
ping -c 3 EXAMPLE.COM                  # DNS must resolve the AD domain
kinit administrator@EXAMPLE.COM        # Test Kerberos authentication
klist                                  # Verify Kerberos ticket

Conclusion

Samba remains the most practical solution for integrating Linux servers into environments where Windows clients need network file access. Whether you are setting up a simple workgroup share for a small team, enforcing per-user authenticated access to department directories, or joining a production Linux server to an enterprise Active Directory domain, Samba handles all three scenarios with the same daemon and configuration file. The key to a clean deployment is starting with a minimal smb.conf — global settings, one or two shares, correct valid users and permission masks — then layering in complexity as needed. Keep SMB1 disabled, restrict shares to specific subnets in your firewall, and use smbpasswd for user management rather than sharing root access. A well-configured Samba server is transparent to Windows users while remaining fully auditable from the Linux side.