[Samba] Regarding close-denied-share option

Wed Jun 18 14:41:38 UTC 2025

>I do not know how you can get smbd to know if a user was just added to
>'write list' or removed from 'read list', mainly because the
>permissions etc are set at connection time, the user needs to be
>disconnected and then reconnect to get the new permission.

From the man page of smbcontrol

close-denied-share

Behave like close-share, but don't disconnect users that are still allowed to access the share. It can safely be sent to all smbds after changing share access controls. It will only affect users who have been denied access since having connected initially. This message can only be sent to smbd.

We can see that it will only affect users who have been denied access since having connected initially. In this case since the user is denied write access since having connected initially and hence we expect close-denied-share to disconnect smb client which is not happening. As per my understanding from the man page “It will only affect users who have been denied access” if close-denied-share is able to disconnect smb clients then it should know which users are affected.

Please clarify.

Thanks & Regards,
Srikanth NS

From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org>
Date: Wednesday, 18 June 2025 at 7:23 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Regarding close-denied-share option
On Wed, 18 Jun 2025 13:36:25 +0000
"., Srikanth N S" <srikanth.nagasubbaraoseetharaman at hpe.com> wrote:

> Thanks Rowland for the reply.
>
> If I understand correctly, if the share permission was RW and if I
> add an user in the read list then close-denied-share will work
> because I am denying write permission. If I remove the user from the
> read list then close-denied-share will not have any effect because
> the user is not denied of any permission (read or write).

That is how I read it, if you add a user to 'read list =' and then run
the smbcontrol cmd, that user is disconnected.

>
> Please let us know if my understanding is correct. If so then could
> you please let us know how to notify this change to SMB client in
> this case.

Not sure you can, without disconnecting all users from the share.

>
> We also tried the reverse scenario which is having RO permission for
> the share and then add an user to the write list. As mentioned
> earlier adding an user is notified to the windows client when we
> issue close-denied-share. But when we remove the user from the write
> list and then issue close-denied-share the client is not notified of
> the permission change. In this case the user is actually denied of
> write permission and hence we expect close-denied-share to notify the
> SMB client.

I do not know how you can get smbd to know if a user was just added to
'write list' or removed from 'read list', mainly because the
permissions etc are set at connection time, the user needs to be
disconnected and then reconnect to get the new permission.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!NpxR!nz4vfS1KjiLsVtdKcV7QG_lbc7DxoHmCI-Te3uY9f5AULCfdY5cPZe08Gc8aoZyMoHR-spAaYcdeY5eQfTC9r1LIT9T16NeE$<https://urldefense.com/v3/__https:/lists.samba.org/mailman/options/samba__;!!NpxR!nz4vfS1KjiLsVtdKcV7QG_lbc7DxoHmCI-Te3uY9f5AULCfdY5cPZe08Gc8aoZyMoHR-spAaYcdeY5eQfTC9r1LIT9T16NeE$>