Skip to main content

smb / samba

Samba Setup on Linux (Home Server)

A practical guide to installing and configuring Samba for a home network, covering a shared folder setup suitable for a home wiki or general file server.


1. Install Samba

sudo apt update && sudo apt install samba samba-common-bin -y

Verify it's running:

sudo systemctl status smbd nmbd

Both should be active. If not:

sudo systemctl enable smbd nmbd --now

2. Create the Share Directory

sudo mkdir -p /srv/samba/wiki
sudo chown -R conor:conor /srv/samba/wiki
sudo chmod 755 /srv/samba/wiki

Adjust owner to your actual Linux username.


3. Configure Samba

Back up the default config first:

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

Edit the config:

sudo nano /etc/samba/smb.conf

Global section — replace or update:

[global]
   workgroup = WORKGROUP
   server string = Home Server
   server role = standalone server
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d

   # Security
   security = user
   map to guest = never
   encrypt passwords = yes

   # Performance
   socket options = TCP_NODELAY IPTOS_LOWDELAY
   read raw = yes
   write raw = yes
   use sendfile = yes

Share definition — add to the bottom:

[wiki]
   comment = Home Wiki
   path = /srv/samba/wiki
   browseable = yes
   read only = no
   valid users = conor
   create mask = 0664
   directory mask = 0775
   force group = conor

4. Create Samba User

Samba uses its own password store separate from Linux system passwords. The Linux user must already exist.

sudo smbpasswd -a conor

You'll be prompted to set a Samba-specific password. Enable the user:

sudo smbpasswd -e conor

5. Validate Config and Restart

Test the config for syntax errors:

testparm

If clean:

sudo systemctl restart smbd nmbd

6. Firewall

If UFW is active:

sudo ufw allow samba

This opens ports 137, 138 (UDP) and 139, 445 (TCP).


7. Connect From Clients

Linux (Files / Nautilus):

smb://SERVER_IP/wiki

Or mount via CLI:

sudo mount -t cifs //SERVER_IP/wiki /mnt/wiki -o username=conor,password=yourpass,uid=1000,gid=1000

Permanent via /etc/fstab:

//SERVER_IP/wiki  /mnt/wiki  cifs  credentials=/home/conor/.smbcredentials,uid=1000,gid=1000,_netdev,x-systemd.automount  0  0

/home/conor/.smbcredentials:

username=conor
password=yourpass
chmod 600 /home/conor/.smbcredentials

macOS:

Finder → Go → Connect to Server → smb://SERVER_IP/wiki

Windows:

\\SERVER_IP\wiki in Explorer address bar, or map as a network drive.


8. Tailscale Consideration

Since you're on Tailscale, use the Tailscale IP (100.x.x.x) instead of the LAN IP for consistent access across all your machines regardless of which network you're on. This also avoids exposing Samba to the public internet — Samba should never be exposed publicly, it has a long CVE history (EternalBlue, etc.).

Bind Samba only to your LAN + Tailscale interfaces to be safe:

[global]
   interfaces = lo tailscale0 eth0
   bind interfaces only = yes

Replace eth0 with your actual LAN interface (ip a to check).


9. Verify the Share is Visible

From the server itself:

smbclient -L localhost -U conor

From another machine:

smbclient -L //SERVER_IP -U conor

You should see wiki listed under shares.


10. Troubleshooting

Symptom Likely cause Fix
"Permission denied" on connect Wrong Samba password or user not enabled smbpasswd -e username
Share not visible browseable = no or firewall Check config + ufw status
Can connect but can't write Directory permissions chmod 775 /srv/samba/wiki
Works on LAN, not Tailscale Interfaces binding Add tailscale0 to interfaces
testparm errors Config syntax Read the output carefully, it's specific

Notes

  • Samba passwords and Linux system passwords are independent — changing one doesn't change the other.
  • For a multi-user setup, create a dedicated group (e.g., sambashare) and use valid users = @sambashare in the share definition.
  • If you're running this on the same machine as your wiki app (e.g., WikiJS, Obsidian vault server), Samba is a good way to access the underlying vault files directly from other machines for editing.