Dizwell Informatics

News from Nowhere

Samba on Fedora 25

The requirement is simple enough: create a network/samba share on my Fedora 25 PC that Windows machines can connect to (with full read-write permissions) without being challenged for a username or password. The solution was not so easy, however, as Fedora 25 implements SELinux (which you could always disable, but it’s on for good reasons so I’d prefer not to just go around disabling it). There’s also a firewall in the way, which also has to be dealt with in a subtle way (i.e., just disabling the firewall is not an option!)

So, on the Linux PC, we need first to install the Samba server (and I throw in the client for good measure, though it’s not strictly needed; and my favourite text editor, which maybe also isn’t strictly needed if you’re happy with the likes of vi or emacs!):

sudo dnf install samba samba-client nano

Next, we need to edit the Samba configuration file:

sudo nano /etc/samba/smb.conf

In the configuration file you’re now editing, you need to end up with this sort of thing (but taking out the comments):

[global]
        workgroup = DIZWELL         # replace with an appropriate WORKGROUP name
        security = user             # this isn't optional
        unix charset = UTF-8        # makes sense for me, but your characterset needs might be different
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        map to guest = Bad User     # this isn't optional, either 

[BIGDATA]                           # this is the share name and can be anything
        path = /data                # here is where the stuff I want to share resides
        writable = yes
        browsable = yes
        guest ok = yes
        guest only = yes
        create mask = 0777
        directory mask = 0777
        public = yes
        available = yes

You may have other sections that control the sharing of home directories and printers -but I’m not interested in those so much at this point. All I’m really after is creating one big network share of all my data, so I create a ‘BIGDATA’ section -in which all the entries are necessary to allow password-less access to the share, backed by -in this case- a physical /data directory. Save the modified file when done: Samba is now correctly to configured to let the world and her dog have access to /data via a network share.

However, you need to make sure the file permissions on the server allow this wide-open access as well as the Samba configuration now does. So, if you haven’t already done it:

sudo chmod 777 /data

Now for a final bit of preparation:

sudo firewall-cmd --add-service=samba --permanent
sudo setsebool -P samba_export_all_rw 1

The first of those commands leaves the firewall on, but with a permanent exception that allows Samba traffic through. The second command configures SELinux correctly to allow everything set up as a network share in the smb.conf configuration file to be accessed in full read-write mode. That again lets SELinux stay on in ‘enforcing’ mode, but with the necessary, narrowly-scoped exceptions to let Samba work.

Finally:

sudo systemctl enable smb nmb
sudo systemctl start smb nmb

That just makes sure the Samba services can auto-start every time I reboot my PC in the future, and then switches them on right now. That done, you should be able to browse from within your Windows Explorer session to the relevant server, see the new anonymous share and make full use of it without password or other security challenges.