SMB should bypass ACL traverse checking
Windows and compatible SMB servers implement a "user right" called: Bypass traverse checking https://technet.microsoft.com/en-us/library/cc976473.aspx
which is normally granted to all SMB users.
This privilege is a convenience that allows an administrator to set ACLs on high level directories in a share that technically do not allow ordinary users to "traverse through" (when doing lookup to follow a directory path). For example, it's common to leave the ACLs on the higher level directories at the default, so that only members of the "Administrators" group are granted access. Then on the user's home directory (at some lower level in the hierarchy) they would grant the user some useful access with the ACL at that level. The user is able to traverse through the higher level directories only because they were given the user right to "bypass traverse checking". The ACL on those higher level directories technically does not allow them to traverse through on a lookup.
We typically run into this problem after data import (i.e. via "robocopy") where the ACLs have been preserved, and the system we copy from implements this feature.
Steps to Reproduce:
At top of share, create a directory, ACL has only Full Control for Administrators.
Under that directory, create a subdir, add an ACE for an ordinary user, also full control.
User should be able to navigate to their folder assuming they know the name.
(Note, they can NOT browse to that folder in explorer, but must type in the path.)