How to Configure Samba User Authentication Without Creating UNIX Accounts


2 views

When setting up Samba shares on Debian systems, you can indeed create authentication credentials without corresponding UNIX accounts. This is achieved through Samba's standalone user database functionality.

Edit your /etc/samba/smb.conf file to include these critical parameters:

[global]
   security = user
   passdb backend = tdbsam

After configuring the smb.conf file, use the pdbedit command to create users exclusively for Samba:

sudo pdbedit -a -u username

The system will prompt you to set a password that will be stored in Samba's TDB database, not in the UNIX password system.

Check your Samba users with:

sudo pdbedit -L

This will list all Samba-authenticated users without showing system users.

For more complex scenarios where you need specific share permissions:

[secure_share]
   path = /srv/samba/secure
   valid users = @smbgroup
   write list = smbadmin
   create mask = 0660
   directory mask = 0770

Then create the Samba group and add users:

sudo net group add smbgroup
sudo net groupmap add sid=S-1-5-21-... unixgroup=smbgroup type=domain
sudo net groupmap addmem smbgroup username

While convenient, remember that:

  • Samba passwords are stored separately from system passwords
  • File permissions still rely on the share's underlying UNIX permissions
  • Consider using force user and force group parameters for consistent access

If authentication fails:

  1. Verify the user exists in pdbedit -L
  2. Check Samba logs at /var/log/samba/
  3. Ensure the share definition allows the user/group

When configuring Samba shares on Debian, you may want to create authentication credentials that exist purely within Samba's user database without corresponding UNIX system accounts. This is particularly useful for:

  • File sharing with external partners
  • Temporary access credentials
  • Service accounts with limited permissions

Samba maintains its own password database (smbpasswd) that can operate independently from the system's /etc/passwd. Here's how to implement this:

# First, add the user to Samba's database
sudo smbpasswd -a username

# This will prompt for password entry twice
# Note: The user doesn't need to exist in /etc/passwd

Your smb.conf must include these parameters in the [global] section:

[global]
   security = user
   passdb backend = tdbsam
   map to guest = bad user

Create a share that allows both authenticated (Samba-only) users and guest access:

[shared_folder]
   path = /srv/samba/shared
   browseable = yes
   read only = no
   guest ok = yes
   create mask = 0666
   directory mask = 0777
   force user = nobody

Since these users don't have system accounts, you'll need to handle file permissions differently:

# Set directory ownership to nobody (or a designated system user)
sudo chown -R nobody:nogroup /srv/samba/shared

# Set appropriate permissions
sudo chmod -R u=rwx,g=rwx,o=rx /srv/samba/shared

For more control over Samba users, use the pdbedit tool:

# List all Samba users
sudo pdbedit -L

# View specific user details
sudo pdbedit -v -u username

# Modify user properties
sudo pdbedit -r -u username