Samba Guest config with ZFS

This configuration allows anonymous "Guest" access to a specific folder while ensuring all files are owned by a restricted local service account. This is ideal for media libraries (audiobooks, movies) on a trusted home network.

1. FreeBSD System Identity (User & Group)

Create a dedicated group and a "no-login" service account to handle guest traffic.

bash

# Create the shared group

sudo pw groupadd smbgrp

# Create the guest user (no home directory, no shell access)

sudo pw useradd smbguest -c "Samba Guest Account" -d /nonexistent -s /usr/sbin/nologin -g smbgrp

# Add your primary administrative user to the group

sudo pw groupmod smbgrp -m <YOUR_ADMIN_USER>

Use code with caution.

2. ZFS Dataset Tuning

Set these properties to ensure ZFS manages permissions via inheritance rather than letting individual apps strip them.

bash

# Replace 'zpool/dataset' with your actual ZFS dataset path

sudo zfs set aclinherit=passthrough zpool/dataset

sudo zfs set aclmode=passthrough zpool/dataset

Use code with caution.

3. The "Golden ACL" (NFSv4)

Apply permissions that ensure the smbgrp always has full control. Use two passes to avoid errors on regular files.

bash

# 1. Clean existing ACLs from the path

sudo setfacl -R -b /path/to/share

# 2. Set the Parent Directory to 'Inherit' (fd flags)

sudo setfacl -a 0 g:smbgrp:full_set:fd:allow /path/to/share

# 3. Apply to sub-items (Directories get inheritance, Files get access only)

sudo find /path/to/share -type d -exec setfacl -a 0 g:smbgrp:full_set:fd:allow {} +

sudo find /path/to/share -type f -exec setfacl -a 0 g:smbgrp:full_set:allow {} +

Use code with caution.

4. Samba Configuration (smb4.conf)

Global and share settings to map all anonymous traffic to the smbguest user.

ini

[global]

    workgroup = WORKGROUP

    security = user

    map to guest = Bad User

    server min protocol = SMB2_10

[audiobooks]

    path = /path/to/share

    guest ok = yes

    guest only = yes

    force user = smbguest

    force group = smbgrp

    read only = no

    # macOS Metadata & Performance Optimization

    vfs objects = zfsacl fruit streams_xattr

    fruit:metadata = stream

    fruit:model = MacPro7,1

Use code with caution.

5. Linux Mount Unit (systemd)

For immutable distros like Fedora Silverblue. Save to /etc/systemd/system/var-mnt-audiobooks.mount.

ini

[Unit]

Description=Mount Audiobooks Share

After=network-online.target

[Mount]

What=//<SERVER_IP_OR_HOSTNAME>/audiobooks

Where=/var/mnt/audiobooks

Type=cifs

Options=guest,uid=1000,gid=1000,iocharset=utf8,file_mode=0664,dir_mode=0775,_netdev

[Install]

WantedBy=multi-user.target

Use code with caution.

6. Safe File Transfer (Rsync)

To ensure new files inherit the correct permissions, tell rsync not to bring its own.

bash

rsync -rv --no-p --no-g /local/path/ user@server:/path/to/share/