{
"meta": {
"title": "Samba server in LXC | ProxMenux Documentation",
"description": "Run a Samba (SMB / CIFS) server inside a Proxmox LXC container with ProxMenux. Auto-installs samba, manages /etc/samba/smb.conf, smbpasswd users, sharedfiles group for bind-mounted folders. Requires a privileged container.",
"ogTitle": "Samba server in LXC | ProxMenux Documentation",
"ogDescription": "Expose folders over SMB/CIFS from inside a privileged LXC container. Auto-install, smbpasswd user, bind-mount aware permissions."
},
"header": {
"title": "Samba server in LXC",
"description": "Run a Samba (SMB / CIFS) server inside a Proxmox LXC container and expose folders to Windows / macOS / Linux clients on the network. ProxMenux installs samba, creates a Samba user with smbpasswd, manages /etc/samba/smb.conf, and applies bind-mount aware permissions when the shared folder comes from the host.",
"section": "Storage & Share · LXC"
},
"privReq": {
"title": "Privileged container required",
"body": "Samba impersonates the connecting user with setgroups() on every tree connection (the moment a client opens a share). In an unprivileged LXC, the kernel rejects that syscall because the container's user namespace is created with setgroups=deny — and smbd responds by aborting the worker process with PANIC: sys_setgroups failed. The result is that smbd starts and binds ports 139/445, but every client connection fails with NT_STATUS_CONNECTION_DISCONNECTED. The script enforces a privileged CT for this reason and aborts if it is unprivileged. There is no clean fix on the server side; use a privileged CT, or run Samba inside a VM."
},
"what": {
"heading": "What this does",
"body": "The container becomes an SMB/CIFS server: it runs smbd, exposes a folder via /etc/samba/smb.conf and accepts client connections on ports 139 / 445. Clients see the share at \\\\<ct-ip>\\<share-name> in Windows Explorer, smb://<ct-ip>/<share-name> in macOS Finder, or via mount.cifs on Linux.",
"diagramServerLabel": "LXC (privileged) — Samba server",
"diagramServerDetail": "/mnt/data\n(folder you expose)\n\nsmbd + nmbd running\n\nUser: \n(via smbpasswd)\n\nForce group:\nsharedfiles",
"diagramClientLabel": "Any client on the network",
"diagramClientDetail": "Windows: \\\\\\\nmacOS: smb:///\nLinux: mount.cifs",
"diagramArrow": "SMB / CIFS"
},
"perms": {
"heading": "Two permission paths depending on the folder type",
"body": "Before adding the share to smb.conf, the script checks whether the chosen folder is a bind mount from the host or a regular local folder inside the CT — and applies different ownership / permissions accordingly:",
"headerType": "Folder type",
"headerAction": "What the script does",
"bindType": "Bind-mount from host",
"bindTypeSubRich": "detected via mount output",
"bindActionRich": "Creates group sharedfiles (default GID 999, dynamic if taken), adds the Samba user to it, then chown root:sharedfiles + chmod 2775 (SGID — new files inherit the group). If the user still cannot write, applies setfacl -m u:<user>:rwx.",
"localType": "Local folder inside CT",
"localTypeSub": "no bind mount detected",
"localActionRich": "Standard ownership: chown -R <user>:<user> + chmod -R 755. No shared group needed because no other CT writes to this folder. Falls back to setfacl if write access is still missing.",
"gidTitle": "GID for 'sharedfiles' differs from the NFS server flow",
"gidBody": "The Samba server script uses GID 999 for sharedfiles, while the NFS server flow uses GID 101000. If you run both servers in the same CT and want a single shared group across both protocols, edit one of them to match the other after the install (e.g. groupmod -g 101000 sharedfiles) and re-apply ownership on the affected folders. This is a known inconsistency in the current scripts."
},
"opening": {
"heading": "Opening the tool",
"body": "From ProxMenux's main menu, open Storage & Share Manager → Configure Samba Server in LXC (only privileged). ProxMenux first asks you to pick the target CT (and starts it if stopped); aborts if unprivileged. Once the CT is selected you see this sub-menu with five options:",
"imageAlt": "Samba Server Manager menu — Create / View / Delete / Status / Uninstall"
},
"howRuns": {
"heading": "How the script runs (Create flow)"
},
"modes": {
"heading": "The three share modes",
"intro": "Each mode writes a different stanza to smb.conf. All three include valid users = <username> (no anonymous), force group = sharedfiles (so new files belong to the shared group) and veto files = /lost+found/ (hides it from clients).",
"headerMode": "Mode",
"headerBlock": "Block written to smb.conf",
"rwMode": "Read-Write",
"roMode": "Read-Only",
"customMode": "Custom",
"customBodyRich": "You type your own directives in a free-text box. ProxMenux still wraps them in a [share] block with the standard path, valid users, force group and veto files."
},
"manual": {
"heading": "Manual equivalent",
"body": "Replicate the whole flow by hand — every command runs inside the CT via pct exec <ctid> -- or pct enter <ctid>:"
},
"connect": {
"heading": "Connecting from clients",
"headerOs": "Client OS",
"headerHow": "How to connect",
"windowsOs": "Windows",
"windowsHowRich": "File Explorer → address bar: \\\\<ct-ip>\\<share-name>. Or Map Network Drive → check \"Connect using different credentials\".",
"macosOs": "macOS",
"macosHowRich": "Finder → Go → Connect to Server… → smb://<ct-ip>/<share-name>. Or mount_smbfs //user@<ct-ip>/<share> /mountpoint.",
"linuxOs": "Linux",
"linuxHowRich": "mount -t cifs //<ct-ip>/<share> /mnt/x -o username=<u>,password=<p>,iocharset=utf8. Or use the Samba client in LXC page if the client is another Proxmox CT."
},
"view": {
"heading": "View current shares",
"body": "Parses /etc/samba/smb.conf inside the CT and lists every [share] block (skipping [global], [homes], [printers]) with its path. Useful as a quick inventory."
},
"delete": {
"heading": "Delete a share",
"body": "Lets you pick a share by name, removes the block from smb.conf (sed deletes from [share] down to the next blank line), and restarts smbd. The folder itself and its contents are left intact."
},
"status": {
"heading": "Check Samba status",
"body": "Reports whether smbd and nmbd are installed and active, lists Samba users (pdbedit -L) and prints active sessions (smbstatus)."
},
"uninstall": {
"heading": "Uninstall Samba server",
"body": "Full clean-up after confirmation: stops + disables smbd and nmbd, backs up smb.conf to smb.conf.backup.YYYYMMDD_HHMMSS, removes Samba users with smbpasswd -x, and apt-get purge the Samba packages. The exported folders themselves are not deleted.",
"warnTitle": "Folders survive — back up data separately",
"warnBody": "Both Delete share and Uninstall Samba server remove the share configuration. The data on the exported folders is preserved. To delete the data too, do it explicitly with rm -rf after the script finishes."
},
"troubleshoot": {
"heading": "Troubleshooting",
"privTitle": "Privileged container required (script aborts)",
"privBody": "The selected CT is unprivileged and smbd cannot serve files there. If you bypass the gate and configure Samba by hand, smbd starts and the ports open, but the first client connection panics with PANIC: sys_setgroups failed in /var/log/samba/log.<client> and the client sees NT_STATUS_CONNECTION_DISCONNECTED. The cause is the unprivileged user namespace having setgroups=deny, which blocks Samba's per-connection impersonation. Neither features=keyctl=1 nor removing force user / force group changes this. The only workable options are: convert the CT to privileged, or move Samba to a VM.",
"aptTitle": "apt-get install fails",
"aptIntro": "The script assumes a Debian-family CT. On Alpine / Arch / Rocky / Alma, install Samba by hand:",
"aptItems": [
"Alpine: apk add samba",
"Arch: pacman -S samba",
"Rocky / Alma: dnf install samba"
],
"aptOutro": "Then re-run the ProxMenux script — the install step skips when the tools are already present.",
"noShareTitle": "Client connects but cannot see the share",
"noShareBody": "Check that browseable = yes is set in the share block (default for rw / ro modes; may be missing in custom). Also check the CT firewall and the Proxmox host firewall allow TCP 445 (SMB) and 139 (NetBIOS). Some Windows clients also require name resolution — try the IP directly first.",
"authTitle": "Authentication fails (NT_STATUS_LOGON_FAILURE)",
"authBody": "Either the wrong password (Samba passwords are separate from system passwords — see them with pdbedit -L) or the user is not in valid users for that share. Reset the password with smbpasswd <user> inside the CT.",
"groupTitle": "Files written by the client appear with wrong group on the server",
"groupBody": "The script sets force group = sharedfiles in the share block, so new files should be group sharedfiles. If they aren't, the SGID bit on the parent directory may have been lost (someone ran chmod by hand). Reapply: chmod 2775 /mnt/<share>.",
"bothTitle": "Sharing the same folder over both NFS and Samba",
"bothBody": "ProxMenux uses different GIDs for sharedfiles in each script (Samba: 999, NFS: 101000). If you serve the same folder via both, decide on one GID and align both. The simplest fix: after running both scripts, edit the smaller GID:"
},
"related": {
"heading": "Related",
"items": [
{
"href": "/docs/storage-share/lxc-samba-client",
"label": "Samba client in LXC",
"tail": " — the inverse: mount external Samba shares from inside a CT."
},
{
"href": "/docs/storage-share/lxc-nfs-server",
"label": "NFS server in LXC",
"tail": " — sibling page, same pattern with NFS instead of CIFS."
},
{
"href": "/docs/storage-share/host-samba",
"label": "Samba / CIFS as Proxmox storage",
"tailRich": " — once your CT is exposing, register that share in Proxmox so it appears under Datacenter → Storage."
}
]
}
}