---
title: Samba Configuration
description: This script configures Samba by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if the `smbd` application is available
sidebar_label: 51 Samba Configuration
slug: /scripts/after/run_onchange_after_51-samba.sh.tmpl
githubLocation: https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_after_51-samba.sh.tmpl
scriptLocation: https://github.com/megabyte-labs/install.doctor/raw/master/home/.chezmoiscripts/universal/run_onchange_after_51-samba.sh.tmpl
repoLocation: home/.chezmoiscripts/universal/run_onchange_after_51-samba.sh.tmpl
---
# Samba Configuration

This script configures Samba by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if the `smbd` application is available

## Overview

This script applies the Samba configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if Samba is installed.
The script and default configuration set up two Samba shares.

## Security

Both shares are configured by default to only accept connections
from hosts with DNS that ends in `.local.PUBLIC_SERVICES_DOMAIN`, where `PUBLIC_SERVICES_DOMAIN` is an environment variable that
can be passed into Install Doctor. So, if your `PUBLIC_SERVICES_DOMAIN` environment variable is set to `megabyte.space`, then
a device with a FQDN of `alpha.local.megabyte.space` pointing to its LAN location will be able to connect but a device
with a FQDN of `alpha.megabyte.space` will not be able to connect.

## Samba Shares / S3 Backup

If CloudFlare R2 credentials are provided, Samba is configured to store its shared files in the Rclone mounts so that your
Samba shares are synchronized to the S3 buckets. If not, new folders are created. Either way, the folder / symlink that the
shares host data from are stored at `/mnt/share-private` and `/mnt/share-public` (*Note: Different paths are used on macOS*).

1. The **public** share (named "Public") can be accessed by anyone (including write permissions with the default settings)
2. The **private** share (named "Private") can be accessed by specifying the PAM credentials of anyone who has an account that is included in the `sambausers` group

## Symlinks

Symlinks are disabled for security reasons. This is because, with symlinking enabled, people can create symlinks on the shares and use the symlinks to access system files outside of the
Samba shares. There are commented-out lines in the default configuration that you can uncomment to enable the symlinks in shares.

## Printers

Printer sharing is not enabled by default. There are commented lines in the default configuration that should provide a nice stepping
stone if you want to use Samba for printer sharing (with CUPS).

## Environment Variables

The following chart details some of the environment variables that are used to determine the configuration of the
Samba shares:

| Environment Variable        | Description                                                                                         |
|-----------------------------|-----------------------------------------------------------------------------------------------------|
| `PUBLIC_SERVICES_DOMAIN`    | Used to determine which hosts can connect to the Samba share (e.g. `.local.PUBLIC_SERVICES_DOMAIN`) |
| `SAMBA_NETBIOS_NAME`        | Determines the NetBIOS name (defaults to the `HOSTNAME` environment variable value)                 |
| `SAMBA_WORKGROUP`           | Controls Samba workgroup name (defaults to "BETELGEUSE")                                            |

## Links

* [Default Samba configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_local/samba/config.tmpl)
* [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)



## Source Code

```
{{- if (ne .host.distro.family "windows") -}}
#!/usr/bin/env bash
# @file Samba Configuration
# @brief This script configures Samba by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if the `smbd` application is available
# @description
#     This script applies the Samba configuration stored in `${XDG_DATA_HOME:-$HOME/.config}/samba/config` if Samba is installed.
#     The script and default configuration set up two Samba shares.
#
#     ## Security
#
#     Both shares are configured by default to only accept connections
#     from hosts with DNS that ends in `.local.PUBLIC_SERVICES_DOMAIN`, where `PUBLIC_SERVICES_DOMAIN` is an environment variable that
#     can be passed into Install Doctor. So, if your `PUBLIC_SERVICES_DOMAIN` environment variable is set to `megabyte.space`, then
#     a device with a FQDN of `alpha.local.megabyte.space` pointing to its LAN location will be able to connect but a device
#     with a FQDN of `alpha.megabyte.space` will not be able to connect.
#
#     ## Samba Shares / S3 Backup
#
#     If CloudFlare R2 credentials are provided, Samba is configured to store its shared files in the Rclone mounts so that your
#     Samba shares are synchronized to the S3 buckets. If not, new folders are created. Either way, the folder / symlink that the
#     shares host data from are stored at `/mnt/share-private` and `/mnt/share-public` (*Note: Different paths are used on macOS*).
#
#     1. The **public** share (named "Public") can be accessed by anyone (including write permissions with the default settings)
#     2. The **private** share (named "Private") can be accessed by specifying the PAM credentials of anyone who has an account that is included in the `sambausers` group
#
#     ## Symlinks
#
#     Symlinks are disabled for security reasons. This is because, with symlinking enabled, people can create symlinks on the shares and use the symlinks to access system files outside of the
#     Samba shares. There are commented-out lines in the default configuration that you can uncomment to enable the symlinks in shares.
#
#     ## Printers
#
#     Printer sharing is not enabled by default. There are commented lines in the default configuration that should provide a nice stepping
#     stone if you want to use Samba for printer sharing (with CUPS).
#
#     ## Environment Variables
#
#     The following chart details some of the environment variables that are used to determine the configuration of the
#     Samba shares:
#
#     | Environment Variable        | Description                                                                                         |
#     |-----------------------------|-----------------------------------------------------------------------------------------------------|
#     | `PUBLIC_SERVICES_DOMAIN`    | Used to determine which hosts can connect to the Samba share (e.g. `.local.PUBLIC_SERVICES_DOMAIN`) |
#     | `SAMBA_NETBIOS_NAME`        | Determines the NetBIOS name (defaults to the `HOSTNAME` environment variable value)                 |
#     | `SAMBA_WORKGROUP`           | Controls Samba workgroup name (defaults to "BETELGEUSE")                                            |
#
#     ## Links
#
#     * [Default Samba configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/dot_local/samba/config.tmpl)
#     * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)

{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}

### Configure Samba server
if command -v smbd > /dev/null; then
    ### Define share locations
    if [ -d /Applications ] && [ -d /System ]; then
        ### macOS does not have `/mnt` folder so use `/Volumes` location
        MNT_FOLDER='Volumes'
    else
        MNT_FOLDER='mnt'
    fi
    PRIVATE_CLOUD="/$MNT_FOLDER/Cloud (Private)"
    PUBLIC_CLOUD="/$MNT_FOLDER/Cloud (Public)"
    PRIVATE_SHARE="/$MNT_FOLDER/Network Share (Private)"
    PUBLIC_SHARE="/$MNT_FOLDER/Network Share (Public)"

    ### Ensure private Samba directory / symlink exists
    if [ -d "$PRIVATE_CLOUD" ] && [ ! -d "$PRIVATE_SHARE" ]; then
        sudo ln -s "$PRIVATE_CLOUD" "$PRIVATE_SHARE"
    else
        sudo mkdir -p "$PRIVATE_SHARE"
    fi

    ### Ensure public Samba directory / symlink exists
    if [ -d "$PUBLIC_CLOUD" ] && [ ! -d "$PUBLIC_SHARE" ]; then
        sudo ln -s "$PUBLIC_CLOUD" "$PUBLIC_SHARE"
    else
        sudo mkdir -p "$PUBLIC_SHARE"
    fi

    ### Copy the Samba server configuration file
    if [ -d /Applications ] && [ -d /System ]; then
        logg warn 'TODO Add logic that applies the Samba configuration for macOS'
    else
        logg info "Copying Samba server configuration to /etc/samba/smb.conf"
        sudo cp -f "${XDG_CONFIG_HOME:-$HOME/.config}/samba/config" "/etc/samba/smb.conf"

        ### Reload configuration file changes
        logg info 'Reloading the smbd config'
        smbcontrol smbd reload-config
    fi
else
    logg info "Samba server is not installed"
fi

{{ end -}}
```