ansible-playbooks/roles/samba_server/README.md

Samba Server

Minimal SMB/CIFS file sharing, mirroring the design of the nfs_server role.

Security is assumed to come from the network (firewall + VPN). No Active Directory, no Kerberos, no winbind. Standalone server, tdbsam backend.

In a nutshell

Supports:

• SMB2/SMB3 over TCP (port 445) and legacy NetBIOS (port 139)
• Per-share access control (valid_users, write_list, force_user/group)
• Optional guest fallback (map to guest = Bad User)
• UFW firewall configuration
• testparm-validated config before reload
• Idempotent user creation via smbpasswd

Limitations:

• No Active Directory / Kerberos integration
• Samba user accounts are only created, never updated. To rotate a password, run pdbedit -x <username> first, then rerun the playbook.
• The matching system user (/etc/passwd) must already exist; this role does not create UNIX accounts.

Inventory

# Bind only to private interfaces
samba_bind_interfaces_only: true
samba_interfaces:
  - lo
  - lan0
  - 192.168.1.161

# UNIX users must exist beforehand (e.g. via the `users` role
# or manual `useradd`). This role only manages the SMB password.
samba_users:
  - username: alice
    password: "{{ vault_alice_smb_password }}"
  - username: bob
    password: "{{ vault_bob_smb_password }}"

samba_shares:
  - name: photos
    path: /mnt/andromeda/family-photos
    comment: "Family photos"
    read_only: false
    valid_users: ["alice", "bob"]
    write_list: ["alice"]
    force_user: alice
    force_group: users

  - name: public
    path: /mnt/andromeda/public
    comment: "Read-only public share"
    guest_ok: true
    read_only: true

samba_server_firewall_allowed_sources:
  - 192.168.1.0/24
  - 192.168.27.0/27

See defaults/main.yml for all variables and defaults.

Resources

• https://wiki.archlinux.org/title/Samba
• https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
• man smb.conf, man smbpasswd, man pdbedit