Sometime since samba 2.2.3, EXCEPT clauses in hosts allow/deny stopped being recursive. The following works as expected: # allow 10.0. subnet, deny 10.0.0. subnet hosts allow = 10.0. EXCEPT 10.0.0. but this does not: # allow 10.0. subnet, deny 10.0.0. subnet, allow 10.0.0.1 host hosts allow = 10.0. EXCEPT 10.0.0. EXCEPT 10.0.0.1 The following patch appears to fix the problem: --- access.c.old Thu Jun 10 10:51:00 2004 +++ access.c Thu Jun 10 10:51:35 2004 @@ -186,8 +186,9 @@ while (*list && !strequal(*list, "EXCEPT")) list++; - for (; *list; list++) { - if ((*match_fn) (*list, item)) /* Exception Found */ + list++; + + if (list_match(list,item,match_fn) != False) { return False; } }
I don't really think recursive EXCEPT clauses are a good idea. You can bring this up on the samba-tech ml though if you like.