How to Make SMB Share Authentication Even Easier with Groups
Recently, we walked you through the process of creating a Samba share on Rocky Linux from the command line. That process shows how easy it is to set up a share on a per-user basis. But what if you have multiple users who need access to a share? There's an easy method of doing this, by working with Linux groups. By making an SMB share available to a group, you have better (and easier) control over who can access what share.
For example, you might have a developer group that consists of multiple users. Instead of setting the share up for each of those users, you can share it with the group to make things more efficient.
Here’s how this is done.
Requirements
To work with Samba groups, you'll need a running instance of Rocky Linux that includes Samba installed and configured. You'll also need a user with sudo privileges.
That's everything. Let's get to work.
Create the share directory and group
The first thing we'll do is create a directory to house the share. We'll stick with our developer example and create a directory within /srv with the command:
sudo mkdir /srv/dev
Next, we'll create the developer group with the command:
sudo groupadd developers
Change the group ownership for the new directory with the command:
sudo chgrp developers /srv/dev
Change the permissions of the dev directory with
sudo chmod -R 770 /srv/dev
Add users to the new group
You do have to manually add each user to the group and each user must exist on the system before you add them. If you've never added a user to the system, it can be done easily with the command:
sudo adduser USER
Where USER is the name of the user.
You would then need to add a password for the user with:
sudo passwd USER
With your users created, you can then add them to the new group with the command:
sudo usermod -aG developers USER
Where USER is the name of the user to be added.
Before we continue, you must also add and enable those users to Samba, which can be done with the following commands:
sudo smbpasswd -a USER
sudo smbpasswd -e USER
Where USER is the username. You'll be prompted to type and verify a password for the user after issuing the first command above.
Configuring the Samba Share
Next, we must add a new definition for the share. Open the Samba configuration file with the command:
sudo nano /etc/samba/smb.conf
At the bottom of that file, we'll create a definition for our share that looks like this:
[dev]
path = /srv/dev
browsable = yes
writable = yes
guest ok = yes
read only = no
valid users = @developers
Save and close the file.
Now, any member of the developers group can access the Samba share dev, from whatever operating system they use (so long as they are on the same LAN as the machine hosting the share).
One thing to keep in mind is that the administrator will know the user's passwords. There are ways around this for the basic username. For example, you can force a user password expiration with the chage command like so:
sudo chage -d 0 USER
Where USER is the username.
The above command would expire the user's password immediately. The next time that user logged in, they would be forced to change their password. The problem is that there's no easy way to force a change of the Samba password. Because of that, you might need to have your users on hand when you add them to Samba. Otherwise, you could create random/strong passwords for those users, send each password to the user, make sure they memorize it or add it to their password manager, and then you, the admin, conveniently forget the password.
And that, my friends, is all there is to using groups for Samba share authentication. This is a very helpful method for controlling who has access to what shares. And remember, if you wind up with a user that needs to be prevented from accessing that share, all you have to do is remove them from the developers group with the command:
sudo gpasswd -d USER developers
Where USER is the user to be deleted.
Enjoy that newfound Samba control.