Linux and SMB permissions not working as expected

I configured a CentOS server to be a SFTP server that receives customer files in a secure way. Then I need to be able to access these files via SMB.

• The 'root' of my SFTP is in /var/inbound/
• Then under /var/inbound/ I have one directory for each customer (e.g. /var/inbound/customer1/
• Then in order to jail users, I have a sub-directory called uploads under each customer directory (e.g. /var/inbound/customer1/uploads/)

I managed to make the permissions work as expected and everything is fine and dandy to support customer access to the SFTP. One important aspect is that I 'jailed' users to their /var/inbound/ directories.

Here is now I created the /var/inbound directory:

sudo mkdir /var/inbound
sudo chown root.root /var/inbound #root must be owner of directory

And here is how I create the sub-directories for each customer:

sudo mkdir -p /var/inbound/[username]/uploads
sudo chown root /var/inbound/[username]
sudo chmod go-w /var/inbound/[username]
sudo chown [username]: /var/inbound/[username]/uploads
sudo chmod 770 /var/inbound/[username]/uploads

NOTE: Both the /var/inbound/[username]/ and /var/inbound/[username]/uploads/ directories need a special set of permissions. Perform the following commands, replacing [username] with the user in question.

Now I'll spare you from the remaining SSH/SFTP configuration. But suffice to say that I can get users to be jailed to their own directories, and that I disabled their SSH/console access using SCPONLY.

Now where things get complicated...

I now need to give SMB access to a specific account (let's call it fileaccess) to the /var/inbound/ directory, which will be accessible from a Windows Server host. I do manage to see the /var/inbound directory as a share from Windows, including its sub-directories. However I cannot see some files, and I have no write access to the files I am meant to have access to either.

$ ls -l /var/inbound
total 0
drwxr-xr-x. 3 root root 20 Jan  5 11:53 testuser

$ ls -l /var/inbound/testuser
total 0
drwxrwxr-x. 2 testuser sftponly 53 Jan  5 12:26 uploads

Now here is the directory I want to access with the fileaccess account:

$ ls -la /var/inbound/testuser/uploads/ 
total 12 
drwxrwx---. 2 testuser    sftponly   53 Jan 5 15:12  . 
drwxr-xr-x. 3 root        root       20 Jan 5 11:53  .. 
-rw-r--r--. 1 fileaccess  sftponly   30 Jan 5 12:26  test2.txt 
-rw-r--r--. 1 testuser    sftponly   26 Jan 5 12:25  test3.txt 
-rw-rw-r--. 1 dmgmadmin   dmgmadmin  14 Jan 5 11:53  test.txt

When I connect via SMB with the fileaccess account, I can only see the test.txt, but I cannot open the file (access denied).

Here is my smb.conf. As you can see I've been trying a series of different options:

    [global]
    workgroup = <MYDOMAINNAMEGOESHERE>
    security = user

    passdb backend = tdbsam

    [inbound]
    comment = Incoming files (as %u)
    path = /var/inbound/
    valid users = fileaccess
    guest ok = No
    read only = No
    writeable = Yes
    browseable = Yes
    create mask = 0640
    directory mask = 0750

NOTE: While I do have a domain, this CentOS machine is not part of it. It does have an entry on my Windows AD DNS, and is configured to use the DNS server -- but that is the end of it. I want this machine to be isolated. So attempts to connect to this server are made with local CentOS accounts.

I am particularly concerned that this might be a Linux file-system access issue, and that necessary changes might conflict with required SFTP permissions (e.g. SFTP requires the /var/inbound// directories to be owned by root).

I wonder if there is a way to enforce in the SMB.conf the access rights for the account in question, so that account has browse/read/right permissions. I tried all sorts of config options in smb.conf (I've been reading the manual for smb.conf here).