Samba (SMB) Setup & Usage on Debian

1. Install Packages

sudo apt update
sudo apt install samba smbclient cifs-utils gvfs-backends -y

Gnome Virtual Filesystem gvfs,
which allows you to access remote file systems directly from your file manager (like Nautilus or Thunar)
and other applications. sftp/smb/ftp/dav/mtp

2. Create Group, Directory & Permissions

# Create Samba group
sudo addgroup smbgroup01

# Create shared directory
sudo mkdir -p /data01/smb01

# Assign group and secure permissions
sudo chown -R root:smbgroup01 /data01/smb01
sudo chmod -R 2770 /data01/smb01

!! Replace smbgroup01 with your Samba group.
!! Replace /data01/smb01 with your shared directory.

2770 ensures group inheritance (setgid) and restricts access to group only.

3. Create Samba User (Dedicated Account)

# Create system user with no login and no home dir
sudo useradd -M -s /usr/sbin/nologin smbuser01

# Add to group
sudo usermod -aG smbgroup01 smbuser01

# Set Samba password (for share login)
sudo smbpasswd -a smbuser01
# Enables the user account in Samba.
sudo smbpasswd -e smbuser01

!! Replace smbuser01 with your samba username.

4. Configure Samba

Backup config:

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%F).bk

Edit config:

sudo nano /etc/samba/smb.conf

Add to bottom:

[global]
   # Use UTF-8 for filenames (important for Chinese, Japanese, etc.)
   unix charset = UTF-8

   # Restrict Samba to local networks + Tailscale
   interfaces = 127.0.0.0/8 192.168.150.0/24 100.99.99.0/24 tailscale0
   # bind interfaces only = yes   # safer for LAN-only, set to "no" if using Tailscale
   hosts allow = 127.0.0.0/8 192.168.150.0/24 100.99.99.0/24 tailscale0

   # Reject unknown users instead of mapping to guest
   map to guest = Bad User

   # Only allow secure SMB versions
   server min protocol = SMB2
   server max protocol = SMB3

   # Reduce log verbosity (set 3+ if debugging issues)
   log level = 1


[smb01]
   # require authentication
   security = user

   # Path to shared folder (adjust to your system)
   path = /data01/smb01

   # Show the share in network browsing
   browseable = yes
   writable = yes

   # Require authentication, no guest access
   guest ok = no
   valid users = @smbgroup01

   # Ensure group ownership is enforced
   force group = smbgroup01

   # Enforce permissions for all new files/dirs
   force create mode = 0770
   force directory mode = 0770

   # New files/dirs inherit parent permissions
   inherit permissions = yes

!! Replace 127.0.0.0/8 192.168.150.0/24 100.99.99.0/24 tailscale0 with your actual ip range.
!! Replace path = /data01/smb01 with your shared directory.
!! Replace smbgroup01 with your Samba group.

5. Restart & Enable Samba

sudo systemctl restart smbd
sudo systemctl enable smbd

6. Configure Firewall

sudo ufw allow from 192.168.150.0/24 to any app Samba
sudo ufw allow from 100.99.99.0/24 to any app Samba
sudo ufw reload

!! Replace 192.168.150.0/24 100.99.99.0/24 with your actual ip range.

7. Connect from Client

CLI (Linux):

smbclient //192.168.150.10/smb01 -U smbuser01

Thunar (XFCE):

Enter in address bar:

smb://192.168.150.10/smb01

Login with Samba user (smbuser01).

8. Debugging

• Reset Samba password:

  sudo smbpasswd -a username
  

• Allow Samba firewall rule:

  sudo ufw allow samba
  

• If Windows cannot connect:

  sudo iptables -F