smbcacls

Name

smbcacls — Set or get ACLs on an NT file or directory names

Synopsis

smbcacls {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [-n] [-t] [-U username] [-h] [-d]

DESCRIPTION

This tool is part of the Samba(7) suite.

The smbcacls program manipulates NT Access Control - Lists (ACLs) on SMB file shares.

OPTIONS

The following options are available to the smbcacls program. - The format of ACLs is described in the section ACL FORMAT

-a acls

Add the ACLs specified to the ACL list. Existing - access control entries are unchanged.

-M acls

Modify the mask value (permissions) for the ACLs - specified on the command line. An error will be printed for each - ACL specified that was not already present in the ACL list -

-D acls

Delete any ACLs specified on the command line. - An error will be printed for each ACL specified that was not - already present in the ACL list.

-S acls

This command sets the ACLs on the file with - only the ones specified on the command line. All other ACLs are - erased. Note that the ACL specified must contain at least a revision, - type, owner and group for the call to succeed.

-U username

Specifies a username used to connect to the - specified service. The username may be of the form "username" in - which case the user is prompted to enter in a password and the - workgroup specified in the smb.conf(5) file is - used, or "username%password" or "DOMAIN\username%password" and the - password and workgroup names are used as provided.

-C name

The owner of a file or directory can be changed - to the name given using the -C option. - The name can be a sid in the form S-1-x-y-z or a name resolved - against the server specified in the first argument.

This command is a shortcut for -M OWNER:name. -

-G name

The group owner of a file or directory can - be changed to the name given using the -G - option. The name can be a sid in the form S-1-x-y-z or a name - resolved against the server specified n the first argument. -

This command is a shortcut for -M GROUP:name.

-n

This option displays all ACL information in numeric - format. The default is to convert SIDs to names and ACE types - and masks to a readable string format.

-t

- Don't actually do anything, only validate the correctness of - the arguments. -

-h|--help

Print a summary of command line options. -

-V

Prints the program version number. -

-s <configuration file>

The file specified contains the -configuration details required by the server. The -information in this file includes server-specific -information such as what printcap file to use, as well -as descriptions of all the services that the server is -to provide. See smb.conf for more information. -The default configuration file name is determined at -compile time.

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

The higher this value, the more detail will be -logged to the log files about the activities of the -server. At level 0, only critical errors and serious -warnings will be logged. Level 1 is a reasonable level for -day-to-day running - it generates a small amount of -information about operations carried out.

Levels above 1 will generate considerable -amounts of log data, and should only be used when -investigating a problem. Levels above 3 are designed for -use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic.

Note that specifying this parameter here will -override the log level parameter -in the smb.conf file.

-l|--logfile=logbasename

File name for log/debug files. The extension -".client" will be appended. The log file is -never removed by the client. -

ACL FORMAT

The format of an ACL is one or more ACL entries separated by - either commas or newlines. An ACL entry is one of the following:

 
-REVISION:<revision number>
-OWNER:<sid or name>
-GROUP:<sid or name>
-ACL:<sid or name>:<type>/<flags>/<mask>
-

The revision of the ACL specifies the internal Windows - NT ACL revision for the security descriptor. - If not specified it defaults to 1. Using values other than 1 may - cause strange behaviour.

The owner and group specify the owner and group sids for the - object. If a SID in the format CWS-1-x-y-z is specified this is used, - otherwise the name specified is resolved using the server on which - the file or directory resides.

ACLs specify permissions granted to the SID. This SID again - can be specified in CWS-1-x-y-z format or as a name in which case - it is resolved against the server on which the file or directory - resides. The type, flags and mask values determine the type of - access granted to the SID.

The type can be either 0 or 1 corresponding to ALLOWED or - DENIED access to the SID. The flags values are generally - zero for file ACLs and either 9 or 2 for directory ACLs. Some - common flags are:

#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8

At present flags can only be specified as decimal or - hexadecimal values.

The mask is a value which expresses the access right - granted to the SID. It can be given as a decimal or hexadecimal value, - or by using one of the following text strings which map to the NT - file permissions of the same name.

R - Allow read access
W - Allow write access
X - Execute permission on the object
D - Delete the object
P - Change permissions
O - Take ownership

The following combined permissions can be specified:

READ - Equivalent to 'RX' - permissions
CHANGE - Equivalent to 'RXWD' permissions -
FULL - Equivalent to 'RWXDPO' - permissions

EXIT STATUS

The smbcacls program sets the exit status - depending on the success or otherwise of the operations performed. - The exit status may be one of the following values.

If the operation succeeded, smbcacls returns and exit - status of 0. If smbcacls couldn't connect to the specified server, - or there was an error getting or setting the ACLs, an exit status - of 1 is returned. If there was an error parsing any command line - arguments, an exit status of 2 is returned.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.

smbcacls was written by Andrew Tridgell - and Tim Potter.

The conversion to DocBook for Samba 2.2 was done - by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done - by Alexander Bokovoy.