When configuring Samba shares, one common requirement is to create shares that are completely invisible to guest/unauthenticated users while remaining fully accessible (and visible) to authorized users. The standard browseable = no parameter makes shares disappear for everyone, which doesn't meet this specific need.
First, ensure you're using security = user mode (not security = share) as it provides proper user-level authentication:
[global]
workgroup = WORKGROUP
server string = Samba Server
security = user
map to guest = Bad User
The effective approach combines several parameters:
[private]
comment = Restricted access share
path = /srv/private
browseable = yes
guest ok = no
valid users = @smbadmin
create mask = 0770
directory mask = 0770
writable = yes
For more granular control, consider these additional parameters:
[ultra-private]
path = /srv/confidential
browseable = auto
hide unreadable = yes
read only = no
valid users = @executives
veto files = /*.tmp/*.temp/
delete veto files = yes
After configuration changes, always verify with:
testparm -s
smbcontrol all reload-config
Check visibility from client machines using both authenticated and guest connections.
Here's a complete working example for a development team environment:
[dev-team]
path = /projects/dev
browseable = yes
hide unreadable = yes
read only = no
valid users = @dev-team @qa-team
force group = dev-team
create mask = 0775
directory mask = 2775
inherit permissions = yes
vfs objects = acl_xattr
store dos attributes = yes
When configuring Samba shares with mixed access levels, administrators often face this specific visibility challenge: How to prevent guest/unauthenticated users from seeing restricted shares in network browse lists while keeping them accessible to authorized users. The standard browseable parameter acts as a blunt instrument that affects all users equally.
[global]
security = user
map to guest = bad user
guest account = nobody
The key lies in combining Samba's access control features with proper authentication mechanisms. Here's the technical breakdown:
- Switch from
security = sharetosecurity = usermode for proper authentication - Implement user-level access controls
- Use Samba's
hide unreadableglobal parameter
First, modify your global settings:
[global]
workgroup = WORKGROUP
server string = Samba Server
security = user
passdb backend = tdbsam
hide unreadable = yes
browseable = yes
Then configure your private share with explicit access controls:
[private]
comment = Restricted Access Share
path = /srv/samba/private
valid users = @smbadmin
read only = no
create mask = 0770
directory mask = 0770
force group = smbadmin
browseable = yes
hide unreadable = yes
For more granular control, consider these additional parameters:
[secured]
path = /srv/samba/classified
valid users = user1, user2
invalid users = guest, nobody
read list = user1
write list = user2
veto files = /*.tmp/*.temp/
hide files = /secret_*.txt/
hide unreadable = yes
After making changes, always verify configuration and restart services:
testparm
systemctl restart smbd nmbd
Test visibility from both authenticated and guest sessions:
smbclient -L localhost -U%
smbclient -L localhost -U authorized_user
If shares remain visible:
- Verify Linux filesystem permissions match Samba settings
- Check for conflicting parameters in [global] section
- Clear client-side browse cache with
net use * /deleteon Windows