securing SAMBA smb.conf best parameters

given today's date, running **windows 10 or later** and connecting to a **RHEL 8.8 or newer** Linux system which currently has samba-4.17.5-3.el8_8 what is a ***best practice*** for parameters one should have in /etc/samba/smb.conf to ensure the **most secure and reliable connection** over that protocol? Below is what I am using. Can anyone modify or add to it to make it better? I am doing a simple samba setup with security=user and passdb backend = tdbsam withsimple local passwords created with smbpasswd -a. If you have a smb.conf template to share that involves windows domain joining and Active Directory and other more complicated things that would be cool too. I am showing the two basic shares (home and data) that I almost always do, if there are parameters that should also be there to improve security? note: not concerned all that much with the logging part, but appreciated if you can improve on it or provide explanation such that an admin could read and make a rationale decision on how to configure. # /etc/samba/smb.conf template, RHEL 8.8 [global] workgroup = SAMBA security = user passdb backend = tdbsam printing = bsd printcap name = /dev/null load printers = no disable spoolss = yes log level = 0 vfs:10 log file = /var/log/samba/sambavfs.log max log size = 0 smb encrypt = required client min protocol = SMB3 client max protocol = SMB3 client signing = mandatory server signing = mandatory [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes vfs objects = extd_audit [data] comment = data inherit acls = Yes read only = No path = /data directory mask = 770 create mask = 660 vfs objects = extd_audit **NOTE:** just also found out that **FIPS=1** in GRUB_CMDLINE_LINUX in /etc/default/grub (or doing fips-mode-setup --enable which is available in RHEL-8) kills a samba connection from windows. See https://access.redhat.com/discussions/7022626 . This was not the case in RHEL-7.9 when doing FIPS=1.