[Samba] Allow single sub-folder access on an otherwise prohibited share - why does the solution work?

Hi list,

I have managed to grant a specific user access to a sub-folder (sub-level 3 from the share's entry point, I think) on a Samba 4 share he/she is not allowed and not able to access in total/general. I tried 2 different ways with one of them working. I'd like to discuss why that is.

For the sake of an example, let's say the share is for teaching material (exam templates, grade lists, etc.), where only a few people of our personnel have access. One person shall be granted access to a sub-folder some levels down the file system, where info material for a particular course is hosted, but ONLY that folder and its sub-folders.

This person is in the "Domain User" group but NOT in the "Teaching" group. The share can be accessed by "Domain Admins" and "Teaching" personnel only (-> via the share's Security settings; Share Permissions are set to "Full control" for "Everyone"). So usually, access is denied to that person.

Way 1 - not working:
- simply grant the person dedicated (not inherited) "Modify" permissions for the sub-folder in question

Way 2 - working:
- add the person to the "Teaching" group (which grants complete access)
- create another group - let's say "Teaching_Users_restricted" - and add the person to it; DENY this group "Full control" to the complete share's file system - so again the person does not have access to any part of the share - now grant the person dedicated (not inherited) "Modify" permissions for the sub-folder in question

Why is the second method working (and working as expected)? The only info I found on the web is that DENY takes precedence over ALLOW, which does not explain my finding, right?



