[Samba] Allow single sub-folder access on an otherwise prohibited share - why does the solution work?

[Klaus Hartnegg]

Am 04.07.2017 um 15:02 schrieb Ole Traupe via samba:
> I have managed to grant a specific user access to a sub-folder 
> (sub-level 3 from the share's entry point, I think) on a Samba 4 share 
> he/she is not allowed and not able to access in total/general. I tried 2 
> different ways with one of them working. I'd like to discuss why that is.

The correct way to do this is to grant the user only the X right on only 
the folders above, and the RX or M right on the folder where user should 
have access.

icacls dir         /grant user:(np)(x)
icacls dir\subdir  /grant user:m

The user will not be able to do anything in dir, not even see subdir. 
The admin should create a shortcut to subdir, and place that shortcut 
somewhere where the user can click on it, for example on the users desktop.