[Samba] Allow single sub-folder access on an otherwise prohibited share - why does the solution work?

Andrew Walker walker.aj325 at gmail.com
Thu Jul 6 12:11:13 UTC 2017

This wasn't a very good answer to the initial question. I presume you're
using acl_xattr, which I'm not overly familiar with (I use ZFS ACLs). In
general, users need the x-bit to be able to traverse the file tree in which
a share is located (in addition to whatever ACLs may be defined in the
xattr). Perhaps take a close look at both the ACL and the underlying
filesystem permissions. In theory, it's possible that when you added the
user to the teaching group, that particular group had the x-bit for the
share, then the final explicit ACL took precedence as you defined the
filesystem ACLs. Permissions can be tricky.

It's worth noting that with ZFS ACLs, IIRC, deny always takes precedence.

On Wed, Jul 5, 2017 at 9:00 AM, Andrew Walker <walker.aj325 at gmail.com>

> Why is the second method working (and working as expected)? The only info
>> I found on the web is that DENY takes precedence over ALLOW, which does not
>> explain my finding, right?
> In Windows, explicit permissions take precedence over inherited
> permissions, even inherited deny permissions.  https://technet.microsoft.
> com/en-us/library/cc783530(v=ws.10).aspx
> Samba apparently does the same.

More information about the samba mailing list