[TriLUG] samba question: user access to subfolder of restricted share

Kevin Hunter Kesling via TriLUG trilug at trilug.org
Wed Jun 3 15:57:30 EDT 2015 

Hullo List,

If any of you are on the Samba list, apologies for the cross-post.  The 
list is fairly active, but I haven't received a reply to my question in 
24 hours; I'm hoping for better luck here.

I am relatively new to Samba.  I've recently installed an instance on 
our server (local authentication, utilizing libpam-smbpass), and have 
successfully created a number of employee accounts.  The setup I want 
gives all employees access to a general "projects" share (all have 
access to all items in the share), but with the ability to give 
piecemeal access to subfolders within this share to non-employees.

For example, if we hire a contractor, we'd like to be able to give them 
an account, such that:

      (DENIED)  \\server\projects              (share)
      (ALLOWED) \\server\projects\fun\project  (folder in share)

In the context of Windows-dialogs, (among many other details I've tried) 
I've set the permissions on the \\server\projects share such that only 
members of the employee group have access:

      Group or user names (for \\server\projects):
        - employee (Unix User\employee)
        - employee (SERVER\employee)

I thought it would be as simple as then adding a contractor's username 
to a subfolder:

      Group or user names (for \\server\projects\fun\project):
        - employee (Unix User\employee)
        - employee (SERVER\employee)
        - somecontractor (SERVER\somecontractor)

and somecontractor has modify access.  However, when I try to map that 
as a network drive with somecontractor's credentials ... no luck, 
"Access is denied".

      Map Network Drive
      Z: -> \\server\projects\funproject (with: somecontractor/password)

And in case it's a different thought process, I'd also like to be able 
to give access to folders at arbitrary depths.  For example:

      Map Network Drive
      Z: -> \\server\projects\other\folder\other\project
          (with: somecontractor/password)

I assume it's possible to do what I want?  How?

Perhaps I've missed a beat with Windows permissions?  Does the 
somecontractor user need to have at least (some version of) the execute 
permission on all directories in the hierarchy (analogous to standard 
*nix directory permissions)?

Thanks,

Kevin

More information about the TriLUG mailing list