Install
# Debian / Ubuntu
sudo apt install samba samba-common-bin
# Fedora / RHEL
sudo dnf install samba
# Arch
sudo pacman -S sambaThe minimum-viable smb.conf
Edit /etc/samba/smb.conf. The default file is huge; replace with this minimal modern version:
[global]
workgroup = HOMELAB
server string = NAS
netbios name = nas
server role = standalone server
# Force modern protocols only
server min protocol = SMB3_00
server smb encrypt = desired
client min protocol = SMB3_00
# Logging
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
# Don't broadcast on the LAN if you have other discovery (just makes for cleaner logs)
dns proxy = no
load printers = no
disable spoolss = yes
# Default ID mapping (standalone)
idmap config * : backend = tdb
idmap config * : range = 100000-999999
# macOS extensions (vfs_fruit) for Apple metadata + Time Machine
vfs objects = fruit streams_xattr
fruit:metadata = stream
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
[photos]
path = /srv/samba/photos
browseable = yes
read only = no
create mask = 0664
directory mask = 0775
valid users = amir
[backups]
path = /srv/samba/backups
browseable = yes
read only = no
create mask = 0660
directory mask = 0770
valid users = amir
# Time Machine (macOS)
fruit:time machine = yes
fruit:time machine max size = 2TCreate Samba users + set passwords
Samba has its own user database (mapped to Unix UIDs). For each user:
# Create the Unix user first (if not existing)
sudo useradd -m amir
# Then create the corresponding Samba user (sets a separate Samba password)
sudo smbpasswd -a amir
# Enter password twice
# Verify
sudo pdbedit -LCreate the share directories
sudo mkdir -p /srv/samba/{photos,backups}
sudo chown -R amir:amir /srv/samba
sudo chmod 770 /srv/samba/backups # restrict more
sudo chmod 775 /srv/samba/photosValidate + start
# Lint the config
sudo testparm
# Walks through smb.conf and prints what Samba sees
# Start
sudo systemctl enable --now smbd nmbd
sudo systemctl status smbdThe two daemons: smbd serves file traffic; nmbd does NetBIOS name announcements (mostly legacy — modern Windows / macOS use mDNS / WS-Discovery instead, so disable nmbd if you don't need it).
Connect from Windows
Windows Explorer → Map Network Drive → \\nas.lab\photos. Prompts for Samba username + password. Bookmark.
Or via PowerShell:
New-PSDrive -Name P -PSProvider FileSystem -Root \\nas.lab\photos \
-Credential (Get-Credential) -PersistConnect from macOS
Finder → Go → Connect to Server → smb://nas.lab/photos. macOS keychain remembers credentials.
For Time Machine target: System Settings → Time Machine → Add backup destination → pick the Samba share with fruit:time machine = yes. macOS treats it as a native AFP-shaped Time Machine drive.
Connect from Linux
sudo apt install cifs-utils
# Mount once
sudo mkdir /mnt/photos
sudo mount -t cifs //nas.lab/photos /mnt/photos \
-o username=amir,uid=$(id -u),gid=$(id -g),vers=3.0
# Permanent via /etc/fstab
//nas.lab/photos /mnt/photos cifs credentials=/etc/cifs-credentials,vers=3.0,uid=1000,gid=1000,_netdev 0 0
# /etc/cifs-credentials (chmod 600!)
username=amir
password=<samba-password>Discovery: mDNS via Avahi
For "the NAS shows up in the macOS Finder sidebar automatically," set up Avahi (see that tutorial) and advertise SMB:
sudo apt install avahi-daemon
# /etc/avahi/services/samba.service
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
<service>
<type>_adisk._tcp</type>
<port>9</port>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=backups,adVF=0x82</txt-record>
</service>
</service-group>
sudo systemctl restart avahi-daemonThe _adisk._tcp advertisement tells macOS "this server has a Time Machine target named backups" — appears in System Settings without manual config.
Active Directory integration (optional)
For company-shape deployments where users authenticate against AD:
# In smb.conf
[global]
security = ADS
realm = LAB.EXAMPLE.COM
workgroup = LAB
winbind use default domain = yes
winbind offline logon = yes
template homedir = /home/%U
template shell = /bin/bash
idmap config * : backend = tdb
idmap config * : range = 100000-199999
idmap config LAB : backend = rid
idmap config LAB : range = 200000-299999
# Join the domain
sudo realm join lab.example.com -U AdministratorAfter joining, AD users can authenticate to Samba; group memberships drive share access.
Firewall
# Allow SMB to the LAN
# nftables (see /tutorials/nftables-modern-linux-firewall.html)
ip saddr 192.168.1.0/24 tcp dport 445 accept
ip saddr 192.168.1.0/24 udp dport 137-138 accept # NetBIOS (legacy)
ip saddr 192.168.1.0/24 tcp dport 139 accept # NetBIOS over TCP (legacy)
# Or ufw
sudo ufw allow from 192.168.1.0/24 to any app SambaSecurity defaults worth keeping
- SMB 3.x only.
server min protocol = SMB3_00blocks SMB1 / SMB2. SMB1 is dead; never enable it. - Encryption desired.
server smb encrypt = desirednegotiates encryption when both ends support it (all SMB3 clients do). - Don't expose to the internet. SMB has a history of CVEs; bind to the LAN; never port-forward 445 publicly. For "I need SMB from elsewhere," tunnel via WireGuard / Tailscale / NetBird (see that tutorial).
- Per-share permissions. Use
valid users,read list,write list, plus underlying Unix file permissions.
Samba vs alternatives
- NFSv4 (see that tutorial) — faster Unix-to-Unix; no Windows / macOS native support without extra packages. Use for homogeneous Unix.
- WebDAV — HTTP-based; works through firewalls easily; slower than SMB for large transfers.
- SSHFS — FUSE over SSH; ad-hoc; slow at scale.
- Cloud SaaS — Dropbox / Google Drive; great UX; not self-hosted.
For a mixed Linux + Windows + macOS LAN with file sharing as a core requirement, Samba remains the canonical answer in 2026.