[Samba] custom permission for single user deep in tree where he has no access

Coert Waagmeester lgroups at waagmeester.co.za
Tue Jun 11 01:56:15 MDT 2013 

Hello all,

Got samba with AD integration and extended ACL up and running.

Here is what I am trying to do.

share1 in smb.conf:
         [share1]
         comment = share1
         path = /mnt/data/share1
         public = no
         writable = yes
         printable = no
         valid users = @DOMAIN+group1

user1 and user2 are members of group1
user3 is not

user1 creates \\server\share1\dir1\user3
user1 grants permission only on the user3 directory to user3, not on any 
parent directories

according to what I experienced with a windows file server, user3 should 
be able to access this folder on:
\\server\share1\dir1\user3

But I get access denied with this samba setup.

Are there any configuration directives I am missing?

Kind regards,
Coert Waagmeester

PS HERE is my smb.conf:
#======================= Global Settings 
=====================================
[global]
         workgroup = DOMAIN
         server string = DOMAIN File server
# --------------------------- Logging Options -----------------------------
         log file = /var/log/samba/log.%m
         max log size = 50
# ----------------------- Domain Members Options ------------------------
         security = domain
         passdb backend = tdbsam
         realm = DOMAIN.LOCAL

         winbind enum users = Yes
         winbind enum groups = Yes
         ;winbind use default domain = Yes
         winbind nested groups = Yes
         winbind separator = +
         idmap config * : range = 6000-20000
         idmap config * : backend = tdb
         ;idmap uid = 6000-20000
         ;idmap gid = 6000-20000
         ;template primary group = "Domain Users"
         template shell = /sbin/nologin
         template homedir = /mnt/data/DOMAIN/home/%D/%U
         root preexec = /usr/local/sbin/mkhomedir.sh %D %U
;       password server = <NT-Server-Name>
# --------------------------- Printing Options -----------------------------
         load printers = yes
         cups options = raw
;       printcap name = /etc/printcap
         #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups
# --------------------------- Filesystem Options ---------------------------
        map archive = yes
        map hidden = yes
        map read only = yes
        map system = yes
        store dos attributes = yes
#============================ Share Definitions 
==============================
[homes]
         comment = Home Directories
         browseable = no
         writable = yes
         create mask = 0700
         directory mask = 0700
[printers]
         comment = All Printers
         path = /var/spool/samba
         browseable = no
         guest ok = no
         writable = no
         printable = yes

[share1]
         comment = share1
         path = /mnt/data/share1
         public = no
         writable = yes
         printable = no
         ;write list = +staff
         valid users = @DOMAIN+group1, DOMAIN+user3

More information about the samba mailing list