File Sharing with NFS and Samba

In this lesson

NFS server and client setup NFS exports and security Samba for Linux-Windows sharing Samba users and permissions Automounting with autofs

File sharing allows multiple systems to access the same data over a network. Linux uses two primary protocols: NFS (Network File System) for Linux-to-Linux sharing, and Samba (SMB/CIFS) for sharing with Windows clients. Both can serve large-scale storage to multiple clients simultaneously, making them essential tools for shared development environments, media servers, and enterprise storage.

NFS — Network File System

NFS allows a Linux server to export directories over the network, which clients then mount as if they were local filesystems. NFS version 4 (NFSv4) is the current standard — it includes stronger security, stateful connections, and better performance over NFSv3.

# ── SERVER SETUP ──────────────────────────────────────────────────────

# Install NFS server
sudo apt install nfs-kernel-server -y     # Debian/Ubuntu
sudo dnf install nfs-utils -y             # RHEL/Rocky

# Create the directory to share
sudo mkdir -p /srv/nfs/shared
sudo chown nobody:nogroup /srv/nfs/shared  # Debian/Ubuntu
sudo chmod 755 /srv/nfs/shared

# Define exports in /etc/exports
sudo tee /etc/exports << 'EOF'
# Share /srv/nfs/shared with a specific subnet
/srv/nfs/shared  192.168.1.0/24(rw,sync,no_subtree_check,no_root_squash)

# Read-only export for all clients in a different subnet
/srv/nfs/data    10.0.0.0/8(ro,sync,no_subtree_check)
EOF

# Apply export changes
sudo exportfs -arv

# Start and enable NFS server
sudo systemctl enable --now nfs-kernel-server   # Debian/Ubuntu
sudo systemctl enable --now nfs-server           # RHEL/Rocky

# Verify active exports
sudo exportfs -v

# sudo exportfs -arv
exporting 192.168.1.0/24:/srv/nfs/shared
exporting 10.0.0.0/8:/srv/nfs/data

# sudo exportfs -v
/srv/nfs/shared
                192.168.1.0/24(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash)
/srv/nfs/data
                10.0.0.0/8(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)

Key NFS Export Options

Option	Meaning
rw / ro	Read-write or read-only access
sync	Write to disk before acknowledging — safer, slightly slower
no_subtree_check	Disables subtree checking — improves reliability and performance
root_squash	Maps client root to anonymous user — prevents root privilege escalation
no_root_squash	Allows client root to act as root on the server — use only on trusted networks

Mounting NFS Shares on Clients

# ── CLIENT SETUP ──────────────────────────────────────────────────────

# Install NFS client tools
sudo apt install nfs-common -y            # Debian/Ubuntu
sudo dnf install nfs-utils -y             # RHEL/Rocky

# Discover available exports on a server
showmount -e 192.168.1.10

# Mount manually (temporary — lost on reboot)
sudo mkdir -p /mnt/shared
sudo mount -t nfs 192.168.1.10:/srv/nfs/shared /mnt/shared

# Verify the mount
df -h /mnt/shared
ls /mnt/shared

# Persistent mount — add to /etc/fstab
echo "192.168.1.10:/srv/nfs/shared  /mnt/shared  nfs  defaults,_netdev  0 0" \
  | sudo tee -a /etc/fstab

# Mount all fstab entries
sudo mount -a

# Unmount
sudo umount /mnt/shared

# showmount -e 192.168.1.10
Export list for 192.168.1.10:
/srv/nfs/shared 192.168.1.0/24
/srv/nfs/data   10.0.0.0/8

# df -h /mnt/shared
Filesystem                       Size  Used Avail Use% Mounted on
192.168.1.10:/srv/nfs/shared     100G   12G   88G  12% /mnt/shared

Samba — Sharing with Windows Clients

Samba implements the SMB (Server Message Block) protocol, allowing Linux servers to share files with Windows, macOS, and other Linux clients. Windows machines can browse and mount Samba shares exactly like they would a Windows file server — no special client software required.

# ── SAMBA SERVER SETUP ────────────────────────────────────────────────

# Install Samba
sudo apt install samba -y                 # Debian/Ubuntu
sudo dnf install samba samba-client -y    # RHEL/Rocky

# Create share directory and set permissions
sudo mkdir -p /srv/samba/shared
sudo chown root:sambashare /srv/samba/shared
sudo chmod 2775 /srv/samba/shared

# Configure Samba — edit /etc/samba/smb.conf
sudo tee -a /etc/samba/smb.conf << 'EOF'

[shared]
   comment = Shared Files
   path = /srv/samba/shared
   browseable = yes
   read only = no
   valid users = @sambashare
   create mask = 0664
   directory mask = 2775
   force group = sambashare

[publicshare]
   comment = Public Read-Only Share
   path = /srv/samba/public
   browseable = yes
   read only = yes
   guest ok = yes
EOF

# Test configuration syntax
sudo testparm

# Create a Samba user (must be an existing Linux user)
sudo useradd -m -s /sbin/nologin sambauser
sudo usermod -aG sambashare sambauser
sudo smbpasswd -a sambauser     # sets Samba-specific password

# Start and enable Samba
sudo systemctl enable --now smbd nmbd

# Allow Samba through firewall
sudo ufw allow samba            # Ubuntu
sudo firewall-cmd --permanent --add-service=samba && sudo firewall-cmd --reload  # RHEL

# sudo testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak cryptography is allowed by default.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        server string = %h server (Samba, Ubuntu)
        obey pam restrictions = Yes
        passwd program = /usr/bin/passwd %u

[shared]
        comment = Shared Files
        path = /srv/samba/shared
        create mask = 0664
        directory mask = 02775
        force group = sambashare
        read only = No
        valid users = @sambashare

Accessing Samba Shares

# ── FROM LINUX CLIENT ─────────────────────────────────────────────────

sudo apt install smbclient cifs-utils -y

# List shares on a Samba server
smbclient -L //192.168.1.10 -U sambauser

# Connect interactively (like FTP)
smbclient //192.168.1.10/shared -U sambauser

# Mount a Samba share persistently
sudo mkdir -p /mnt/samba
sudo mount -t cifs //192.168.1.10/shared /mnt/samba \
  -o username=sambauser,password=secret,uid=1000,gid=1000

# Store credentials securely instead of in fstab
sudo tee /etc/samba/credentials << 'EOF'
username=sambauser
password=secret
EOF
sudo chmod 600 /etc/samba/credentials

# fstab entry using credentials file
echo "//192.168.1.10/shared /mnt/samba cifs credentials=/etc/samba/credentials,uid=1000,gid=1000,_netdev 0 0" \
  | sudo tee -a /etc/fstab

# ── FROM WINDOWS CLIENT ───────────────────────────────────────────────
# In File Explorer address bar:
# \\192.168.1.10\shared
# Or map as network drive via: This PC > Map network drive

Automounting with autofs

autofs mounts network filesystems on demand when accessed and unmounts them after a period of inactivity. This is more efficient than static fstab mounts — shares that are rarely used do not consume connections or delay boot, and stale mounts do not block system startup if the server is temporarily unavailable.

# Install autofs
sudo apt install autofs -y

# Master map — tells autofs which directories to manage
# Edit /etc/auto.master and add:
echo "/mnt/auto  /etc/auto.nfs  --timeout=60" | sudo tee -a /etc/auto.master

# Create the map file for NFS mounts
sudo tee /etc/auto.nfs << 'EOF'
# Format: mountpoint  [options]  server:path
shared  -rw,soft,intr  192.168.1.10:/srv/nfs/shared
data    -ro,soft       192.168.1.10:/srv/nfs/data
EOF

# Restart autofs
sudo systemctl restart autofs

# Access triggers the mount automatically
ls /mnt/auto/shared   # mounts on first access
# After 60 seconds of no access, autofs unmounts it

# Check currently mounted autofs filesystems
mount | grep autofs

NFS vs Samba — when to use which: Use NFS for Linux-to-Linux sharing — it is simpler to configure, has lower overhead, and handles Unix permissions natively. Use Samba when Windows clients need access, or when you need a mixed-OS shared storage environment. Both can coexist on the same server sharing the same directories.

Lesson Checklist

✔ I can set up an NFS server, define exports with appropriate options, and mount them persistently on clients

✔ I understand NFS export options — particularly the security implications of root_squash vs no_root_squash

✔ I can configure Samba shares, create Samba users, and mount shares from both Linux and Windows clients

✔ I can set up autofs for on-demand mounting and understand why it is preferable to static fstab mounts for network shares

Practice Questions

1. You need to share /data/projects from a Ubuntu server at 10.0.1.5 with three application servers on the 10.0.1.0/24 subnet. The share needs to be read-write, and the application servers run their apps as UID 1001. Write the complete server and client configuration including the fstab entry.

Server: sudo apt install nfs-kernel-server -y. Add to /etc/exports: /data/projects 10.0.1.0/24(rw,sync,no_subtree_check,root_squash). Run sudo exportfs -arv. On clients: sudo apt install nfs-common -y, create mount point sudo mkdir -p /mnt/projects. fstab entry: 10.0.1.5:/data/projects /mnt/projects nfs rw,sync,_netdev 0 0. Apply: sudo mount -a. Ensure UID 1001 owns or has write permission on the server-side directory.

2. A Windows user reports they can see the Samba share in File Explorer but get "Access Denied" when trying to open it. They are using the correct username and password. What are the three most likely causes and how would you diagnose each?

(1) User not in valid users — check smb.conf for valid users setting; confirm user is in the specified group with id username. (2) Linux filesystem permissions blocking access — check ls -la /srv/samba/shared; the Samba user's Linux UID must have read/write permission on the directory. (3) SELinux blocking Samba on RHEL — check sudo ausearch -c smbd for AVC denials; fix with sudo setsebool -P samba_enable_home_dirs on or set the correct SELinux context: sudo chcon -t samba_share_t /srv/samba/shared.

3. Explain why storing Samba credentials in /etc/fstab directly as username=x,password=y is a security risk, and describe the correct approach.

/etc/fstab is world-readable (permissions 644) — any local user can run cat /etc/fstab and see the plaintext password. The correct approach is to store credentials in a separate file with restrictive permissions: create /etc/samba/credentials containing username=x and password=y on separate lines, set chmod 600 /etc/samba/credentials and chown root:root /etc/samba/credentials, then reference it in fstab with credentials=/etc/samba/credentials.

Lesson Quiz

1. An NFS export is configured with root_squash. A client mounts the share and tries to write a file as root. What happens?

Root on the client has full access because root always bypasses NFS restrictions The client root's requests are mapped to the anonymous user (nobody/nfsnobody) on the server — root privileges are not honoured on the NFS share The write fails with a permission denied error regardless of the export settings root_squash only affects read operations — writes succeed normally

2. What command do you run after editing /etc/exports to apply the changes without restarting the NFS server?

sudo systemctl reload nfs-kernel-server sudo exportfs -arv sudo nfsstat --refresh Changes to /etc/exports take effect automatically without any command

3. Why does a Samba user need both a Linux system account and a separate Samba password set with smbpasswd?

Samba requires two-factor authentication — one password for the network and one for the filesystem Samba maintains its own password database separate from /etc/shadow — the Linux account provides the UID/GID for file permissions while the Samba password handles SMB authentication This is only required on RHEL — Ubuntu Samba uses PAM and shares the Linux password The Linux password is used for read access and the Samba password is used for write access

Up Next

Lesson 33 — Storage Concepts (LVM)

LVM architecture, creating and extending volumes, snapshots, and software RAID with mdadm

← Previous Course Index Next →