smb.conf:


[global]
security = user
encrypt passwords = true
map to guest = bad user
guest account = nobody
create mask = 0644
directory mask = 0755

[PrivateShareName]
comment = File Server
path = /path/to/private/share
browseable = no
read only = no
valid users = USER

[PublicShareName]
comment = Media Drive
path = /path/to/public/share
read only = yes
guest only = yes
guest ok = yes


Be sure to add USER to the samba password database by executing the following on the samba server:
$ smbpasswd -a USER

The smb.conf shown above will create two shares, a public share named PublicShareName located at /path/to/public/share which is available to everyone read only, and a private share named PrivateShareName located at /path/to/private/share invisible to all except USER, who has full access.

Attribute Explanations:

security = user
A user must present a valid username and password to access the share.

map to guest = bad user
Logon attempts with an invalid username/password combo will be rejected, unless the username doesn’t exist on the server, then the user will be treated as guest.

create mask = 0644
This is a mask which is logically ANDed with the permissions on the client file system. The easy way to think about it is the max permissions a file stored on the share from the client can have. 0644 gives read access to all, write access to the file’s owner, and execute access to none.

directory mask = 0755
Same as create mask, but for directories. 0755 is the same as 0644, but with execute permission given to all. This is necessary for directories.

browseable = no
This prevents the share from being viewable on the network’s list of available shares.

For further information, see the smb.conf man page at samba.org or the free ebook, Using Samba, 2nd Edition.