How to Make SMB Share Authentication Even Easier with Groups

April 3, 2023

Recently, we walked you through the process of creating a Samba share on Rocky Linux from the command line. That process shows how easy it is to set up a share on a per-user basis. But what if you have multiple users who need access to a share? There's an easy method of doing this, by working with Linux groups. By making an SMB share available to a group, you have better (and easier) control over who can access what share.

For example, you might have a developer group that consists of multiple users. Instead of setting the share up for each of those users, you can share it with the group to make things more efficient.

Here’s how this is done.

Requirements

To work with Samba groups, you'll need a running instance of Rocky Linux that includes Samba installed and configured. You'll also need a user with sudo privileges.

That's everything. Let's get to work.

Create the share directory and group

The first thing we'll do is create a directory to house the share. We'll stick with our developer example and create a directory within /srv with the command:

sudo mkdir /srv/dev

Next, we'll create the developer group with the command:

sudo groupadd developers

Change the group ownership for the new directory with the command:

sudo chgrp developers /srv/dev

Change the permissions of the dev directory with

sudo chmod -R 770 /srv/dev

Add users to the new group

You do have to manually add each user to the group and each user must exist on the system before you add them. If you've never added a user to the system, it can be done easily with the command:

sudo adduser USER

Where USER is the name of the user.

You would then need to add a password for the user with:

sudo passwd USER

With your users created, you can then add them to the new group with the command:

sudo usermod -aG developers USER

Where USER is the name of the user to be added.

Before we continue, you must also add and enable those users to Samba, which can be done with the following commands:

sudo smbpasswd -a USER

sudo smbpasswd -e USER

Where USER is the username. You'll be prompted to type and verify a password for the user after issuing the first command above.

Configuring the Samba Share

Next, we must add a new definition for the share. Open the Samba configuration file with the command:

sudo nano /etc/samba/smb.conf

At the bottom of that file, we'll create a definition for our share that looks like this:

[dev]

path = /srv/dev

browsable = yes

writable = yes

guest ok = yes

read only = no

valid users = @developers

Save and close the file.

Now, any member of the developers group can access the Samba share dev, from whatever operating system they use (so long as they are on the same LAN as the machine hosting the share).

One thing to keep in mind is that the administrator will know the user's passwords. There are ways around this for the basic username. For example, you can force a user password expiration with the chage command like so:

sudo chage -d 0 USER

Where USER is the username.

The above command would expire the user's password immediately. The next time that user logged in, they would be forced to change their password. The problem is that there's no easy way to force a change of the Samba password. Because of that, you might need to have your users on hand when you add them to Samba. Otherwise, you could create random/strong passwords for those users, send each password to the user, make sure they memorize it or add it to their password manager, and then you, the admin, conveniently forget the password.

And that, my friends, is all there is to using groups for Samba share authentication. This is a very helpful method for controlling who has access to what shares. And remember, if you wind up with a user that needs to be prevented from accessing that share, all you have to do is remove them from the developers group with the command: