The procedure below creates a network volume which can be accessed by multiple users, but only if they have authenticated. It implements Samba's user-level security; the resulting volume works similarly to a share on a Windows system, where permissions to the share are restricted to certain users or groups. This kind of setup is useful for a business environment, where a shared, central and secure space is required.
However, the procedure below does not use or define a Windows domain, and is thus best suited for businesses with a single server (or a series of standalone servers) where domains are not used. In particular, as domains are not used, a "single sign-on" is not possible. In a small business environment, this is not likely to pose a problem, however when multiple servers are deployed, password management and synchronisation can become an issue. If you have multiple servers, see creating a PDC and creating a member server.
In addition to the shared volume, the procedure below also defines a home directory for each user, which only they can access. This private network space is useful for storing files, which should not be shared, in a central location.
See also: troubleshooting Samba
Note: these last three settings will cause this server to become the master browser on your LAN. Only one server should be the master browser. Do not set these on more than one server.
[private] comment = description of the share (optional) path = /data/smbspace read only = no valid users = testuser
If more than one user will be accessing the share, it's possible to include a unix user group in the 'valid users' line.
For example, this will give access to the share to all users in the 'staff' group:
valid users = @staff
mkdir /data/smbspace chgrp -R staff /data/smbspace chmod -R 770 /data/smbspace
The user must be a member of a group which has permissions to the share. In the example above, user 'testuser' must be a member of the 'staff' group in order to gain access.
To create a new 'staff' group, use this command:
pw groupadd staff
Note: this uses the FreeBSD-specific pw command (docs: manpage)
create mask = 0660 directory mask = 0771
This gives all users the ability to read, write and delete all files and directories on the share, created by any user.
pw useradd -n testuser -s /sbin/nologin -c "Test User" -g staff -m
The example above creates a user called 'testuser' and adds it to the 'staff' group. Unless otherwise desired, the unix user account should be set to "nologin". This does not prevent users from accessing the share, but it does stop them logging in with telnet, etc. Note that -c is the comment field, this is used by XP to put at the top of the start menu, eg. "Test User". Also note that no password is defined for the unix user account, that's OK as the account is set to "nologin". Lastly, note that the -m tells pw to create the user's home directory - if you're not creating home directories, remove it.
echo samba_enable=\"YES\" >> /etc/rc.conf
A reboot is recommended here. This will put the Samba binaries into the path, and verify that Samba starts automatically. Don't forget to log back in as root before continuing.
smbpasswd -a testuser
The users must exist on the system already (eg. a unix user account must exist for each Samba user). The SMB password can be different to the unix user account password.
net use k: \\sambaserver\sharename password /user:testuser