Hello.
I just set up a samba share which is accessed from Windows clients. The share is like this:

[share]
---sub1
------folder1
------folder2
---------direc1
---------direc2
---sub2
------fdr1
---------subfd1
------fdr2
---sub3
------dir1

And so on, meaning it's quite a big tree with many subfolders of subfolders. The share is allowed for unix group "grp1", so in smb.conf I have "valid users = @grp1". User1, user2, user3 and user4 are all part of this group. The share folder and *all* its stuff inside has these attributes: root:grp1 drwxrws---. This because I also used parameter "inherit permissions = yes".

Now, I need to restrict user4 access to some subdirectories, say for example, direc1 and fdr2, to *nothing*, i.e., no read, no write, no execute/transverse, without affecting the user's access to the rest of the complicated tree.

I was told to just add more share definitions in smb.conf for each folder I wanted to set special accesses, but for some reason this seemed to be a bit... cheesy...
So I tried to use posix acls. Tried "setfacl -Rdm u:user4:0 /path/to/[...]direc1", rebooted system just in case, logged in with user4 from a windows client, and I was still lable to read and even write a -previously modified- xls file inside direc1 folder. I checked getfacl and acls were indeed correctly set.
Then tried setting "inherit permissions = no", still no dice.

By the way, I did take into account this https://www.samba.org/~ab/Samba-HOWTO-Collection.pdf , page 206: "Word does the following when you modify/change a Word document: MS Word creates a NEW document with a temporary name, Word then closes the old document and deletes it, Word then renames the new document to the original document name". Yes, ms office saves the newly modified file with some fancy extended acls by default...

Could someone help?
Thanks beforehand.