[Samba] Regarding close-denied-share option

[Rowland Penny]

On Wed, 18 Jun 2025 12:01:14 +0000
"., Srikanth N S via samba" <samba at lists.samba.org> wrote:

> Hi,
> 
> We have observed that when we remove the ACL of a Windows user and
> call smbcontrol close-denied-share the share permissions are not
> getting updated dynamically. Even if we unmap and map the share the
> share permissions are not getting reflected on Windows.
> 
> But in case of Adding/Updating ACL using smbcontrol
> close-denied-share works as expected.
> 
> Following is our test case details:
> 
>   *   Created a share “share1” with RW permission
> 
> 
> [share1]
> path = /mnt/export
> read only = no
> read list =
> write list =
> 
> 
>   *   Logged in as user “matt” on windows and mapped “share1”. We can
> read and write on share1
>   *   Created an ACL for “matt” with RO permission
> 
> [share1]
> path = /mnt/export
> read only = no
> read list = matt
> write list =
> 
> 
>   *   Ran smbcontrol smbd close-denied-share share1
>   *   Observed that the user “matt” cannot write i.e only has READ
> permissons as expected
>   *   Removed ACL for “matt”
> 
> [share1]
> path = /mnt/export
> read only = no
> read list =
> write list =
> 
> 
>   *   Ran smbcontrol smbd close-denied-share share1
>   *   Observed that the user “matt” still has RO permission. We
> expected the user to have the default share1 permissions which is RW
> 
> Please clarify.
> 
> Thanks & Regards,
> Srikanth N S

I think if you read the  man page for smbcontrol, you might understand
what is going on here.

The user is only disconnected if they are connected, but have been
placed on the 'read list' since they connected. If they are connected
and removed from the 'read list', they are not disconnected when
'smbcontrol smbd close-denied-share' is run, because they are allowed
access.

Rowland