Configuring Samba on 2 interfaces

Hello, I've got an installation of LEDE that has been working happily for years. I've got two local networks - LAN and GUEST. LAN is encrypted, meant for house folk, with access to administration, private shares and unthrottled wan access etc; the second is for visitors (and neighbors), unauthenticated, and has slightly capped wan access.

Now I'd like to add a "public" share that can be accessed from the GUEST network, but without opening the rest of my samba shares to the GUEST network. Is there a way to configure such a share? I've found the interfaces settings in samba.conf, but they seem to be global (per server) and not per share. Any suggestions?

I would put users in groups and set permissions by group on the share itself.

https://www.samba.org/samba/docs/using_samba/ch09.html

1 Like

Thanks for the suggestion, jwoods.
The point is, the GUEST network is for random people showing up once in a while, and setting up separate users seems like overkill. Can't the interface be used as an identifying feature?

I get that...

My thought was to set up 4 or 5 guest accounts that can be re-used, rather than individual accounts...unless of course you have a lot of guests at the same time.

@jwoods' recommendation is the right way to go about this.

  1. /etc/samba/smb.conf.template needs to have the option for guests enabled
    • guest account = nobody
    • guest ok = yes
  2. A guest user needs to be added to /etc/passwd
    • guest:*:1010:1010:guest:/mnt/guest:/bin/false
  3. A guest group needs to be added to /etc/group
    • guest:x:1010:guest
  4. A guest user needs to be created for samba:
    • smbpasswd -a guest
  5. A directory needs to be made in the file system for the guest share(say /mnt/guest), and needs to be owned by the guest user and group
    • chown guest:guest /mnt/guest
      • You could also have a different user, such as an admin account or root, as the directory owner:
        • chown root:guest /mnt/guest
  6. Permissions need to be set for /mnt/guest
    • chmod 664 /mnt/guest
      • 6 is read/write
      • 4 is read
      • Execute permissions are not required for a samba share

I'd recommend a /etc/samba/smb.conf.template similar to:

#

     ##::[[---  LEDE Samba Template  ---]]::##

####################################################
             ##----- Databases -----##
####################################################

        # Disabled:
          # interfaces        = |INTERFACES|

          # hosts allow       = x.x.x.x/xx 127.0.0.1
            # Where x.x.x.x/xx is the IP and netmask value.
              # IPs need to be separated by a whitespace
                # This allows for Samba shares to only be 
                # made available to the specified IPs

    # Global Settings #
#---------------------------------------------------

[global]
    bind interfaces only      = yes
    browseable                = yes
    deadtime                  = 30
    display charset           = |CHARSET|
    domain master             = yes
    encrypt passwords         = true
    enable core files         = no
    guest account             = nobody
    guest ok                  = yes
    #hosts allow               = x.x.x.x/xx 127.0.0.1
    interfaces                = lo br-lan
    invalid users             = root
    local master              = yes
    log file                  = /var/log/samba/%m-%I.log
    load printers             = no
    map to guest              = Bad User
    max log size              = 50
    max protocol              = SMB3_11
    min protocol              = SMB2
    min receivefile size      = 16384
    netbios name              = |NAME|
    null passwords            = no
    obey pam restrictions     = yes
    os level                  = 20
    passdb backend            = smbpasswd
    preferred master          = yes
    printable                 = no
    security                  = user
    server string             = |DESCRIPTION|
    smb encrypt               = disabled
    smb passwd file           = /etc/samba/smbpasswd
    socket options            = TCP_NODELAY IPTOS_LOWDELAY
    syslog                    = 2
    unix charset              = |CHARSET|
    use sendfile              = yes
    workgroup                 = |WORKGROUP|
    writeable                 = yes

.
Lastly, the share needs to be configured in /etc/config/samaba


#

    ##::[[---  LEDE Samba Config  ---]]::##

####################################################
               ##----- Global -----##
####################################################

    # General #
#---------------------------------------------------
config samba
    option  description     'PNY USB 3'
    option  homes           1
    option  name            'LEDE'
    option  workgroup       'WRT'


    # Shares #
#---------------------------------------------------
config sambashare
    option  browseable      'yes'
    option  create_mask     0660
    option  dir_mask        0750
    option  guest_ok        'yes'
    option  name            'Guests'
    option  path            '/mnt/guest'
    option  public          'no'
    option  read_only       'no'
    option  users           'guest'
  • option workgroup 'WRT' must be set to the workgroup of your LAN
    • The workgroup name should be the same as the the local domain for the router in /etc/config/dhcp
      #
      
            ##::[[---  LEDE DHCP Config  ---]]::##
      
      ####################################################
                   ##----- DNS Server -----##
      ####################################################
      
          # DNS Masq #
      #---------------------------------------------------
      config dnsmasq
          option  domain                  'WRT'
      

Thanks for the additional, detailed instructions!
Why should the workgroup be the same as the local domain? I used LAN and GUEST for local domain in the 2 subnetworks, and SMB did work OK. It's only now that I want to add a partitioned share policy that I am running into trouble.