[Samba] Allow single sub-folder access on an otherwise prohibited share - why does the solution work?

Ole Traupe ole.traupe at tu-berlin.de
Tue Jul 4 13:02:57 UTC 2017 

Hi list,

I have managed to grant a specific user access to a sub-folder 
(sub-level 3 from the share's entry point, I think) on a Samba 4 share 
he/she is not allowed and not able to access in total/general. I tried 2 
different ways with one of them working. I'd like to discuss why that is.

For the sake of an example, let's say the share is for teaching material 
(exam templates, grade lists, etc.), where only a few people of our 
personnel have access. One person shall be granted access to a 
sub-folder some levels down the file system, where info material for a 
particular course is hosted, but ONLY that folder and its sub-folders.

This person is in the "Domain User" group but NOT in the "Teaching" 
group. The share can be accessed by "Domain Admins" and "Teaching" 
personnel only (-> via the share's Security settings; Share Permissions 
are set to "Full control" for "Everyone"). So usually, access is denied 
to that person.

Way 1 - not working:
- simply grant the person dedicated (not inherited) "Modify" permissions 
for the sub-folder in question

Way 2 - working:
- add the person to the "Teaching" group (which grants complete access)
- create another group - let's say "Teaching_Users_restricted" - and add 
the person to it; DENY this group "Full control" to the complete share's 
file system - so again the person does not have access to any part of 
the share
- now grant the person dedicated (not inherited) "Modify" permissions 
for the sub-folder in question

Why is the second method working (and working as expected)? The only 
info I found on the web is that DENY takes precedence over ALLOW, which 
does not explain my finding, right?

Ole


-- 

Dr. Ole Traupe

Lab Manager

Technische Universität Berlin
Biopsychologie und Neuroergonomie
Institut für Psychologie und Arbeitswissenschaft

Biological Psychology and Neuroergonomics
Department of Psychology and Ergonomics

Postanschrift/Mail to:

TU Berlin / KWT-1
Dr. Ole Traupe
Fasanenstr. 1
10623 Berlin
GERMANY

Zimmer/Office: KWT-N, Eingang 1; 2. OG
Telefon/Phone: (+49) 030 314 79513
Fax: (+49) 030 314 79516

E-Mail:ole.traupe at tu-berlin.de
www.bpn.tu-berlin.de

More information about the samba mailing list