[Samba] Multiple groups and access

[Volar - james]

Hi folks.

I have set up a Samba server for a small company to share docs. The
implementation was smooth and has been stable ever since. Now, the admin
staff needs a change made and I am wondering how best to implement it as
painlessly as possible.

The requirement is to change the folder/file access so it denies access
for some members while still allowing access for others. Simple, right?
Wrong. I told the staff at the time of implementation that the share
layout should be as precise as possible and that groups were to be
specifically set for access. They decided to ignore this and went for a
single group with nested folders under the main shares.

So the layout is:

sharename = projects
path = /home/projects
1 level of nested folders = project1, project2, etc...
2nd level of nested folders = financial1, financial2, etc...

Group is offadmin, members: person1, person2, person3, person4.

Anway, the single group has 4 members which all have read/write access.
Only one member needs to be denied access to the financials.

So I tried the Linux/UNIX group ACL's to disallow anyone in a different
group:

/home/projects 770 - Obviously, that won't work as based on groups, the
user is allowed in.

I then shared out the financials folders, added the person into a second
group and added that group to the invalid users list:

invalid users = nonoffadmin

I know this works as I actually have tested it... Would this be a
solution or a work around? Does anyone have a better idea to share?

--james