How to Hide Samba Shares from Unauthorized Users While Maintaining Visibility for Authorized Access


11 views

When configuring Samba shares, one common requirement is to create shares that are completely invisible to guest/unauthenticated users while remaining fully accessible (and visible) to authorized users. The standard browseable = no parameter makes shares disappear for everyone, which doesn't meet this specific need.

First, ensure you're using security = user mode (not security = share) as it provides proper user-level authentication:

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   security = user
   map to guest = Bad User

The effective approach combines several parameters:

[private]
   comment = Restricted access share
   path = /srv/private
   browseable = yes
   guest ok = no
   valid users = @smbadmin
   create mask = 0770
   directory mask = 0770
   writable = yes

For more granular control, consider these additional parameters:

[ultra-private]
   path = /srv/confidential
   browseable = auto
   hide unreadable = yes
   read only = no
   valid users = @executives
   veto files = /*.tmp/*.temp/
   delete veto files = yes

After configuration changes, always verify with:

testparm -s
smbcontrol all reload-config

Check visibility from client machines using both authenticated and guest connections.

Here's a complete working example for a development team environment:

[dev-team]
   path = /projects/dev
   browseable = yes
   hide unreadable = yes
   read only = no
   valid users = @dev-team @qa-team
   force group = dev-team
   create mask = 0775
   directory mask = 2775
   inherit permissions = yes
   vfs objects = acl_xattr
   store dos attributes = yes

When configuring Samba shares with mixed access levels, administrators often face this specific visibility challenge: How to prevent guest/unauthenticated users from seeing restricted shares in network browse lists while keeping them accessible to authorized users. The standard browseable parameter acts as a blunt instrument that affects all users equally.

[global]
   security = user
   map to guest = bad user
   guest account = nobody

The key lies in combining Samba's access control features with proper authentication mechanisms. Here's the technical breakdown:

  1. Switch from security = share to security = user mode for proper authentication
  2. Implement user-level access controls
  3. Use Samba's hide unreadable global parameter

First, modify your global settings:

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   security = user
   passdb backend = tdbsam
   hide unreadable = yes
   browseable = yes

Then configure your private share with explicit access controls:

[private]
   comment = Restricted Access Share
   path = /srv/samba/private
   valid users = @smbadmin
   read only = no
   create mask = 0770
   directory mask = 0770
   force group = smbadmin
   browseable = yes
   hide unreadable = yes

For more granular control, consider these additional parameters:

[secured]
   path = /srv/samba/classified
   valid users = user1, user2
   invalid users = guest, nobody
   read list = user1
   write list = user2
   veto files = /*.tmp/*.temp/
   hide files = /secret_*.txt/
   hide unreadable = yes

After making changes, always verify configuration and restart services:

testparm
systemctl restart smbd nmbd

Test visibility from both authenticated and guest sessions:

smbclient -L localhost -U%
smbclient -L localhost -U authorized_user

If shares remain visible:

  • Verify Linux filesystem permissions match Samba settings
  • Check for conflicting parameters in [global] section
  • Clear client-side browse cache with net use * /delete on Windows