Some time ago i’ve created this CZ post Maxovy poznamky k smb.conf with my notes on smb.conf :
Here is ENG translation (not perfect, but i tried my best)
`
## Sources : Samba.org , Archlinux wiki, OpenWRT wiki
### Important files
## 1. /etc/config/samba ==> uci config
## 2. /etc/samba/smb.conf.template ==> uci samba template
## 3. /etc/samba/smb.conf -> /var/etc/smb.conf (resp. /tmp/etc/smb.conf) ==> runtime config, actually used by samba
## 4. /etc/samba/smbpasswd ==> db with passwords
## 5. /var/log/log.smbd ==> samba log , usually empty, all is logged to syslog (if not set differently)
## 6. /var/log/log.nmbd ==> name-server log , usually empty, all is logged to syslog (if not set differently)
### QuickGuide
## create user "samba_user" using "useradd"/"adduser"
## set Unix password "passwd"
## synchronize that user/password with samba using "smbpasswd"
## create such user with same samba password on all clients
## --> resp. it is not necessary , if you just want connect the shared folder for reading (if you want to write you have to set it)
## ==> it is necessary to initially connect via that user and provide credentials
## --> if the username(password) is not(can't be) same, it is necessary to do the mapping between unix and win world
## set the chown/chmod on future shared folder (samba_user:users))
## or ensure, that mount of that filesystems is accesible by that samba_user (it is big difference if linux FS or if NTFS/FAT is used)
## --> ntfs is mounted via user-space, not directly via kernel module. If you want ntfs to be writable you will face some issues using fuse-ntfs module, due the unix vs samba vs ntfs rights)
## --> it is better to share folder from local folder/mount and test the samba on it first
## --> later you can add the content via symlink/link, mount, bind/rbind
## ==> in general using NTFS on TOS brings lot of issues , so try to avoid such situation
## ----------------------------------------------------------
## /mnt/
drwxr-xr-x 4 samba_user users 4096 May 14 20:46 MyShare
drwxr-xr-x 4 samba_user users 4096 May 14 20:46 MyData
## ----------------------------------------------------------
## /mnt/MyShare ## shared folder
lrwxrwxrwx 1 root root 33 Dec 8 2016 Torrents -> ../MyData/InBound/TorrentFiles/ ## symlink to folder on another mount (Transmission watch folder)
lrwxrwxrwx 1 root root 27 Dec 8 2016 Upload -> ../MyData/InBound/Upload/ ## symlink to folder on another mount (upload folder)
lrwxrwxrwx 1 root root 30 Dec 8 2016 Download -> ../MyData/OutBound/Download/ ## symlink to folder on another mount (download folder)
drwxr-xr-x 5 samba_user users 4096 Mar 31 16:11 Video
## ----------------------------------------------------------
## /mnt/MyData/ ## datovy folder
drwxr-xr-x 5 samba_user users 4096 Oct 31 2016 Torrent ## main folder for Transmission
drwxr-xr-x 3 samba_user users 4096 Oct 31 2016 InBound ## main folder for inbound data (ftp,smb,torrent,irc)
drwxr-xr-x 2 root root 4096 Dec 8 2016 Users ## symlinks or bind/mount from users to users
drwxr-xr-x 3 samba_user users 4096 Dec 8 2016 OutBound ## main folder for outbound data
drwxr-xr-x 7 root root 4096 Dec 8 2016 vsFtpRoot ## root/chroot folder for vsftpd
drwxr-xr-x 2 root root 4096 Dec 9 2016 ngIrcdRoot ## root/chroot folder for ngircd
## ----------------------------------------------------------
## /etc/config/samba
config samba
option name 'XXXXX'
option workgroup 'XXXXXXX' ## using WORKGROUP brings less issues with Win8/Win10 stations
## Pozn: but it is better to use some own group name (see the notes below)
option homes '0' ## disable sharing of home folder
## note: without any other options (without dedicated samba user)
## users can traverse outside the share folder (and for me that is security breach)
option description 'XXXXXXX'
config sambashare
option name 'MyShare' ## network share folder name >> \\192.168.1.1\MyShare
option path '/mnt/MyShare' ## path to share folder
option read_only 'no' ## in another word: writeable=yes
option guest_ok 'no' ## no guest user
option users 'samba_user' ## allow access to : samba_user
option dir_mask '0775' ## SMB mask
option create_mask '0664' ## UNIX mask
## ----------------------------------------------------------
## ./tmp/etc/smb.conf ## this is generated from uci config and template and used by smb service
## ----------------------------------------------------------
[global]
netbios name = XXXXXXXXX ## network name "netview" --> \\XXXXXXX\MyShare
display charset = UTF-8
interfaces = 127.0.0.1/8 lo 192.168.1.1/24 br-lan ## possible samba listening interfaces , in uci config this is not present, but dynamically created config will contain "interfaces = lo br-lan" automatically
server string = XXXXXXXXXXXXXX ## server description
unix charset = UTF-8
workgroup = XXXXXXXXXXXXX ## samba workgroup name, you should add all client station to this workgroup
browseable = yes ## enable listing of shared folders in "netview"
deadtime = 30 ## session timeout
local master=yes ## we want TOS to be master
domain master = yes ## we do not want any other host to try election for domain master (many win10 with samba 4.x are trying it)
## if some host is having different homegroup and became master , you will have issues
preferred master = yes ## for situation when there might be two master, we preffer TOS to be the master
encrypt passwords = true ## enable password encryption
enable core files = no ## do not show "core" files
guest account = nobody ## guest unix account
guest ok = yes ## enable guest (you can disable per-share later on, or set it globally to NO)
invalid users = root ## root is not allowed to use samba
load printers = no ## no printers
map to guest = Bad User ## users without passwords will be treated as "guest"
max protocol = SMB2 ## disable SMB3,SMB4 and allow SMB1 and SMB2
# mix protocol = SMB2 ## uncomment this to get forced SMB2 , using min/max let you set the range of "dialects"
min receivefile size = 16384 ## size of data, where data are going directly from socks to buffer (increase speed of samba)
null passwords = no ## no empty passwords
obey pam restrictions = yes ## enable this if you have encrypt-password=true
os level = 20 ## higher number increase probability of winning the election to master
## Teoretically os level=65 and you do not need use directives to force wining the election to master
passdb backend = smbpasswd ## utility for samba password --> you should set smbpasswd to each samba user/client
printable = no ## disable writing to spool
security = user ## security level, user,share,domain
## if level user --> expecting all unix/samba users are created and have unix/samba password, auth is global
## if level share --> it is similar to "user", with difference, auth is per-shared-folder
## if level domain --> you do not want this ..... and if you have AD/DC you probably have samba server on domain controler)
smb encrypt = disabled ## do not encrypt
smb passwd file = /etc/samba/smbpasswd ## file with samba passwords
socket options = TCP_NODELAY IPTOS_LOWDELAY ## local network option to make samba faster :)
syslog = 2 ## verbosity of logging
use sendfile = yes ## for new clients slightly increase the speed of file transfers, for older (win9.x) clients it might bring some issues
writeable = yes ## enable writing
force user = samba_user ## force user owner
force directory mode = 0775 ## force directory SAMBA permissions (you can change it per-each-share-folder)
force create mode = 0664 ## force directory UNIX permissions (you can change it per-each-share-folder)
allow insecure wide links = yes ## allow symlinks pointing outside the shared-folder to another mount)
## it is not recommended if you link between mounts/binds , but if you are on same mount you can use it
## if the mount is mounted using samba_user and you have "force" options for files/folders corretly set, users won't be able to traverse outside the share folder(following the symlink)
unix extensions = no ## if wide-links are YES set this to NO
wide links = yes ## allow following the symlinks
## to increase security you can unset those (disable) and use another method (mount-bind/mount-rbind) instead
[MyShare]
path = /mnt/MyShare ## filesystem mounted under samba_user (eventually mount as used , but ensure that samba_user has access)
valid users = samba_user ## list of users with granted access to this share folder
read only = no ## another way to say "writeable=yes"
## note: options for write/read within samba are having no effect on real unix rights of files/folders. Unix permissions are having last word
guest ok = no ## no guest access
create mask = 0664 ## force permissions (if not set, global options are applied ) unix permissions
directory mask = 0775 ## force permissions (if not set, global options are applied ) samba permissions
## ----------------------------------------------------------
### this setup allows connect shared folder under dedicated samba_user (must exists on client and must have password set)
### allowed browse from all subfolders and linked sources
### if you need to share "HOME" for some users, you can symlink correspond home as new share folder (and limit acces via smb.conf)
### or you can keep it as subfolder and just via unix permission manage who can see what ... so no need to touch smb.conf
### each approach has pros/cons ....
`