[Samba] Allow single sub-folder access on an otherwise prohibited share - why does the solution work?

Ole Traupe ole.traupe at tu-berlin.de
Fri Aug 4 12:17:12 UTC 2017

Andrew, Klaus, let me first thank you for your hints and explanations, 
and apologize that I didn't respond in time! Actually, I simply forgot 
about having posted my question due to high work load in other areas.

Yes, denial takes precedence over permission, also in Windows/Samba, 
afaik. Which is why step 2 of my 2nd solution works.

And yes, explicit permissions take precedence over inheritance, which is 
why step 3 of my 2nd solution works. But to my intuition, this should 
apply to the first solution as well: granting explicit permissions 
(actually any explicit or implicit ACL mentioning of that user/group) 
ONLY for the folder in question.

The missing 'traverse' permission seems to be the culprit. Thanks to 
both of you!

Although I am a bit puzzled:
- step 1 (adding user to Teaching group, which has 'modify' permission 
for the whole share) obviously includes 'traversal'
- step 2 (adding user to Teaching_Users_restricted, being _denied_ 'full 
control' for the whole share) should also include the 'traversal'
Those two steps should cancel each other out, no?

In any way, just providing the 'traverse' permission for the above 
folders works perfectly. Thanks again!

Any yes, we are using shortcuts. But mapping a network drive to this 
particular sub-folder works, as well.


On 06.07.2017 18:44, Klaus Hartnegg via samba wrote:
> Am 04.07.2017 um 15:02 schrieb Ole Traupe via samba:
>> I have managed to grant a specific user access to a sub-folder 
>> (sub-level 3 from the share's entry point, I think) on a Samba 4 
>> share he/she is not allowed and not able to access in total/general. 
>> I tried 2 different ways with one of them working. I'd like to 
>> discuss why that is.
> The correct way to do this is to grant the user only the X right on 
> only the folders above, and the RX or M right on the folder where user 
> should have access.
> icacls dir         /grant user:(np)(x)
> icacls dir\subdir  /grant user:m
> The user will not be able to do anything in dir, not even see subdir. 
> The admin should create a shortcut to subdir, and place that shortcut 
> somewhere where the user can click on it, for example on the users 
> desktop.

More information about the samba mailing list