I have a standard setup with OMV users/groups, OMV shares and CIFS shares. Each group has access to its share and everything goes fine. As easy and direct as it sounds.
Now, I have been tasked to allow a given user (say Pete), NOT belonging to a given group (say testgroup), to access some of the folders inside that group's share (testshare). The user MUST NOT see anything else apart from those folders (say folder1, folder2) and the files inside them, being able to read and write them too.
Well, this looks like a task for the ACL part of the GUI as I need to give diferentiated rights so some user. So I created a new group (extragroup), made the user (Pete) belong to it and gave the new group ACL RW rights to the folders. But even though the parent folder ('testshare') had RX rights for 'other' I was not able to see them from a windows session.
So we have '/testshare/folder1' and /testshare/folder2' as full paths
testshare rights are root->rwx, testgroup->rwx, other->r-x
folder1 rights are root->rwx, testgroup->rwx, other->r-x, extended ACL extragroup->rwx
folder2 rights are root->rwx, testgroup->rwx, other->r-x, extended ACL extragroup->rwx
With this setup I am not able to see both folder1 and folder2 inside testshare. I expected to see testshare and, when expanded, both folders inside iit but I am not able to see testshare either. If I add the new group 'extragroup' to the original share via the 'privileges' button (not the ACL one) then I am able to see everything inside no matter what the POSIX rights are configured (I explicitly chowned nothing to other: other->---).
Access Based Enum is active system-wide so even though all groups have r-x rights to all shares in POSIX they do not show at windows until they are explicitely given rights in the OMV share thus making them appear in the valid users' option of the smb.conf file.
After losing lot of hair with this approach and not understanding why SAMBA did not show testshare as there were folders inside it where the user had enough rights to see them (perhaps because the @"extragroup" group does not show up in the 'valid users' list) I took a different approach. I created a new share for Pete, say testshare2 and gave Pete's group (extragroup) RW rights to it. This immediatly showed the new share in Pete's windows file manager as expected. Then I created soft links (via ssh session) to the original share folders (ln -s ../testshare/folder1 folder1, etc.). I expected that as the 'extragroup' group had RW rights ACL for /testshare/folderN, I could access the files indirectly as I had enough rights to.
Well, this is not true. I get an error when I try to open those linked folders.
Do anyone knows why? Can someone, please, give some light here?
Thanks in advance for your help.