ServicesAboutGuidesGet Started
FedoraSambaNAS

Setting Up Samba on Fedora 44 as a Public Share

Build a simple NAS on Fedora 44 that shares a folder to the local network using Samba with no authentication. Any device on the LAN can read and write to the share — no passwords, no user accounts. Ideal for a home lab, a workshop file drop, or anywhere convenience beats access control.

Before You Start

⚠️

This guide creates a share with no authentication. Every device on the local network can read, write, and delete files in the shared folder. This is intentional — the goal is a simple, password-free file drop for a trusted network.

If you need per-user access control, Active Directory integration, or any form of authenticated access, this is not the guide for that. Authenticated Samba shares involve significantly more configuration and are a different topic entirely.

This guide assumes you are starting from a Fedora 44 Server minimal install. Every command is run as a regular user with sudo. If you are still logging in as root, see Adding a New User on Fedora 44+ first.

The guide uses /data as the mount point for a dedicated storage disk and /data/shares/public as the shared directory. Adjust the paths to match your setup.

TL;DR

The full setup, condensed. Each section below explains what these commands do and why.

bash
sudo dnf upgrade --refresh -y
sudo dnf install cockpit cockpit-storaged samba policycoreutils-python-utils -y
sudo firewall-cmd --add-service=cockpit --permanent
sudo firewall-cmd --add-service=samba --permanent
sudo firewall-cmd --reload
sudo systemctl enable --now cockpit.socket
sudo mkdir /data
# Set up your storage disk via Cockpit or /etc/fstab, then:
sudo mkdir -p /data/shares/public
sudo semanage fcontext -a -t samba_share_t "/data(/.*)?"
sudo restorecon -Rv /data/
sudo useradd pubshare -s /usr/sbin/nologin
sudo smbpasswd -a pubshare
sudo chown pubshare /data/shares/public/
# Edit /etc/samba/smb.conf (see below), then:
sudo systemctl enable --now smb

Step 1 — Update the System

Start by bringing the system fully up to date. This ensures you have the latest package versions and security patches before installing anything new.

bash
sudo dnf upgrade --refresh -y

Step 2 — Install Required Packages

bash
sudo dnf install cockpit cockpit-storaged samba policycoreutils-python-utils -y
  • cockpit and cockpit-storaged — a web-based management console for the server. The storage module makes it easy to partition and format disks, configure mount points, and manage /etc/fstab entries without editing files by hand. You can skip these two packages if you prefer to manage storage from the command line.
  • samba — the SMB/CIFS file server.
  • policycoreutils-python-utils — provides the semanage command, which you will need to tell SELinux that your data directory is a Samba share.

Step 3 — Open the Firewall

Fedora's firewall blocks incoming connections by default. Open the ports for both Cockpit and Samba.

bash
sudo firewall-cmd --add-service=cockpit --permanent
sudo firewall-cmd --add-service=samba --permanent
sudo firewall-cmd --reload
  • --permanent writes the rule to the persistent configuration so it survives a reboot.
  • --reload activates the new rules immediately without dropping existing connections.
💡

The cockpit service opens TCP port 9090. The samba service opens TCP 445 and 139, plus UDP 137 and 138. If you skipped Cockpit in Step 2, skip the cockpit firewall rule here as well.

Step 4 — Enable Cockpit

Start Cockpit and set it to launch on boot.

bash
sudo systemctl enable --now cockpit.socket

Cockpit is now available at https://your-server-ip:9090 in any browser. Log in with your normal Linux credentials.

💡

Cockpit uses a self-signed certificate by default. Your browser will warn you about this — accept the exception to proceed. If this server will be managed long-term, consider adding a proper certificate later.

Step 5 — Set Up Storage

Create the mount point for your data disk.

bash
sudo mkdir /data

Now attach and mount your storage disk. You have two options:

  • Cockpit — log into the web console, go to Storage, select your disk, format it, and configure a mount point at /data. Cockpit will handle the /etc/fstab entry for you.
  • Command line — partition the disk with fdisk or parted, format it with mkfs.xfs (or your preferred filesystem), add an entry to /etc/fstab, and mount it.

Reboot after configuring storage to confirm the disk mounts automatically on boot.

bash
sudo reboot

Step 6 — Configure SELinux

SELinux is enabled by default on Fedora and will block Samba from accessing files outside its expected directories. Tell SELinux that everything under /data is a Samba share.

bash
sudo semanage fcontext -a -t samba_share_t "/data(/.*)?"
sudo restorecon -Rv /data/
  • semanage fcontext adds a persistent rule mapping the path pattern to the samba_share_t type. This rule survives relabels and reboots.
  • restorecon -Rv applies the new context to all existing files and directories under /dataimmediately.
⚠️

Do not disable SELinux. Many older guides suggest setting SELinux to permissive or disabled as a "fix" for Samba access problems. The two commands above are all you need. Disabling SELinux to make a file share work is removing a security layer to avoid a two-line configuration.

Step 7 — Create the Shared Directory

bash
sudo mkdir -p /data/shares/public

This is the directory that will be exposed over the network. You can create additional directories alongside public later if you want more shares.

Step 8 — Configure Samba

Back up the default configuration file, then replace it.

bash
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

Edit /etc/samba/smb.conf with your preferred editor and replace the contents with the following:

ini
[global]
        workgroup = WORKGROUP
        security = user
        map to guest = bad user
        min protocol = SMB3
        passdb backend = tdbsam

[Public]
        path = /data/shares/public
        browsable = yes
        writable = yes
        read only = no
        guest ok = yes
        force user = pubshare

What Each Setting Does

[global] Section

  • workgroup = WORKGROUP — the NetBIOS workgroup name. WORKGROUP is the Windows default. Change this only if your network uses a different workgroup name.
  • security = user — Samba's default security mode. Clients must present a username and password, but the map to guest directive below handles unauthenticated access.
  • map to guest = bad user — if a client connects with a username that does not exist in the Samba user database, map the connection to the guest account instead of rejecting it. This is what makes the share work without passwords — Windows clients that send their logged-in username are silently mapped to guest.
  • min protocol = SMB3 — reject connections using SMB1 or SMB2. SMB1 has known security vulnerabilities and has been disabled by default in Windows since 2017. SMB2 has been superseded. There is no reason to allow either on a new deployment.
  • passdb backend = tdbsam — store the Samba password database in a local TDB file. This is the default and the right choice for a standalone server.

[Public] Section

  • path — the directory on disk to share.
  • browsable = yes — the share appears in network browsing (e.g. when you open "Network" in Windows Explorer).
  • writable = yes and read only = no — both are needed to ensure write access. They are complementary directives; setting both avoids ambiguity.
  • guest ok = yes — allow connections without a valid Samba account.
  • force user = pubshare — all file operations on this share run as the pubshare Linux user, regardless of who connected. This keeps file ownership consistent and avoids permission problems when multiple clients write to the same directory.

Step 9 — Create the Samba Service User

Create a local Linux user that Samba will use for file operations on the public share. This user does not need a password or a login shell — it exists only as a file ownership identity.

bash
sudo useradd pubshare -s /usr/sbin/nologin

Add the user to the Samba password database. When prompted for a password, just press Enter twice — the password does not matter because the share uses guest access, but Samba requires the user to exist in its database.

bash
sudo smbpasswd -a pubshare

Set ownership of the shared directory to the new user.

bash
sudo chown pubshare /data/shares/public/

Step 10 — Start Samba

Enable and start the Samba service.

bash
sudo systemctl enable --now smb

Samba is now running and will start automatically on boot.

Connect from Another Machine

From a Windows machine on the same network, open File Explorer and type the following in the address bar:

text
\your-server-ip\Public

From a Linux machine, you can mount it or browse it with your file manager. To test from the command line:

bash
smbclient //your-server-ip/Public -N

From a macOS machine, open Finder, press Cmd+K, and enter:

text
smb://your-server-ip/Public

Troubleshooting

Verify Samba Configuration

Samba ships with testparm, which parses smb.conf and reports any errors.

bash
testparm

If the output ends with "Loaded services file OK," your configuration is syntactically valid.

Check SELinux Denials

If clients can connect but cannot read or write files, SELinux is the most likely cause. Check the audit log for denials:

bash
sudo ausearch -m avc -ts recent

If you see denials involving smbd and your data path, re-run the semanage and restorecon commands from Step 6.

Check Firewall

Confirm the Samba service is active in the firewall:

bash
sudo firewall-cmd --list-services

The output should include samba. If it does not, re-run the firewall commands from Step 3.

Check Samba Service Status

bash
sudo systemctl status smb

Look for "active (running)". If the service failed to start, the output will include the reason — most commonly a syntax error in smb.conf.