1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="smbcacls.1">
6 <refentrytitle>smbcacls</refentrytitle>
7 <manvolnum>1</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">User Commands</refmiscinfo>
10 <refmiscinfo class="version">4.0</refmiscinfo>
15 <refname>smbcacls</refname>
16 <refpurpose>Set or get ACLs on an NT file or directory names</refpurpose>
21 <command>smbcacls</command>
22 <arg choice="req">//server/share</arg>
23 <arg choice="req">/filename</arg>
24 <arg choice="opt">-D|--delete acls</arg>
25 <arg choice="opt">-M|--modify acls</arg>
26 <arg choice="opt">-a|--add acls</arg>
27 <arg choice="opt">-S|--set acls</arg>
28 <arg choice="opt">-C|--chown name</arg>
29 <arg choice="opt">-G|--chgrp name</arg>
30 <arg choice="opt">-I allow|romove|copy</arg>
31 <arg choice="opt">--numeric</arg>
32 <arg choice="opt">-t</arg>
33 <arg choice="opt">-U username</arg>
34 <arg choice="opt">-d</arg>
35 <arg choice="opt">-e</arg>
36 <arg choice="opt">-m|--max-protocol LEVEL</arg>
41 <title>DESCRIPTION</title>
43 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
44 <manvolnum>7</manvolnum></citerefentry> suite.</para>
46 <para>The <command>smbcacls</command> program manipulates NT Access Control
47 Lists (ACLs) on SMB file shares. </para>
52 <title>OPTIONS</title>
54 <para>The following options are available to the <command>smbcacls</command> program.
55 The format of ACLs is described in the section ACL FORMAT </para>
60 <term>-a|--add acls</term>
61 <listitem><para>Add the ACLs specified to the ACL list. Existing
62 access control entries are unchanged. </para></listitem>
68 <term>-M|--modify acls</term>
69 <listitem><para>Modify the mask value (permissions) for the ACLs
70 specified on the command line. An error will be printed for each
71 ACL specified that was not already present in the ACL list
78 <term>-D|--delete acls</term>
79 <listitem><para>Delete any ACLs specified on the command line.
80 An error will be printed for each ACL specified that was not
81 already present in the ACL list. </para></listitem>
87 <term>-S|--set acls</term>
88 <listitem><para>This command sets the ACLs on the file with
89 only the ones specified on the command line. All other ACLs are
90 erased. Note that the ACL specified must contain at least a revision,
91 type, owner and group for the call to succeed. </para></listitem>
97 <term>-C|--chown name</term>
98 <listitem><para>The owner of a file or directory can be changed
99 to the name given using the <parameter>-C</parameter> option.
100 The name can be a sid in the form S-1-x-y-z or a name resolved
101 against the server specified in the first argument. </para>
103 <para>This command is a shortcut for -M OWNER:name.
110 <term>-G|--chgrp name</term>
111 <listitem><para>The group owner of a file or directory can
112 be changed to the name given using the <parameter>-G</parameter>
113 option. The name can be a sid in the form S-1-x-y-z or a name
114 resolved against the server specified n the first argument.
117 <para>This command is a shortcut for -M GROUP:name.</para></listitem>
123 <term>-I|--inherit allow|remove|copy</term>
124 <listitem><para>Set or unset the windows "Allow inheritable
125 permissions" check box using the <parameter>-I</parameter>
126 option. To set the check box pass allow. To unset the check
127 box pass either remove or copy. Remove will remove all
128 inherited acls. Copy will copy all the inherited acls.
136 <term>--numeric</term>
137 <listitem><para>This option displays all ACL information in numeric
138 format. The default is to convert SIDs to names and ACE types
139 and masks to a readable string format. </para></listitem>
143 <term>-m|--max-protocol PROTOCOL_NAME</term>
144 <listitem><para>This allows the user to select the
145 highest SMB protocol level that smbcacls will use to
146 connect to the server. By default this is set to
147 NT1, which is the highest available SMB1 protocol.
148 To connect using SMB2 or SMB3 protocol, use the
149 strings SMB2 or SMB3 respectively. Note that to connect
150 to a Windows 2012 server with encrypted transport selecting
151 a max-protocol of SMB3 is required.
156 <term>-t|--test-args</term>
158 Don't actually do anything, only validate the correctness of
163 &stdarg.server.debug;
165 &popt.common.credentials;
166 &popt.common.connection;
173 <title>ACL FORMAT</title>
175 <para>The format of an ACL is one or more ACL entries separated by
176 either commas or newlines. An ACL entry is one of the following: </para>
178 <para><programlisting>
179 REVISION:<revision number>
180 OWNER:<sid or name>
181 GROUP:<sid or name>
182 ACL:<sid or name>:<type>/<flags>/<mask>
183 </programlisting></para>
186 <para>The revision of the ACL specifies the internal Windows
187 NT ACL revision for the security descriptor.
188 If not specified it defaults to 1. Using values other than 1 may
189 cause strange behaviour. </para>
191 <para>The owner and group specify the owner and group sids for the
192 object. If a SID in the format S-1-x-y-z is specified this is used,
193 otherwise the name specified is resolved using the server on which
194 the file or directory resides. </para>
196 <para>ACLs specify permissions granted to the SID. This SID again
197 can be specified in S-1-x-y-z format or as a name in which case
198 it is resolved against the server on which the file or directory
199 resides. The type, flags and mask values determine the type of
200 access granted to the SID. </para>
202 <para>The type can be either ALLOWED or DENIED to allow/deny access
203 to the SID. The flags values are generally zero for file ACLs and
204 either 9 or 2 for directory ACLs. Some common flags are: </para>
207 <listitem><para><constant>#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</constant></para></listitem>
208 <listitem><para><constant>#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</constant></para></listitem>
209 <listitem><para><constant>#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4</constant></para></listitem>
210 <listitem><para><constant>#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</constant></para></listitem>
213 <para>At present flags can only be specified as decimal or
214 hexadecimal values.</para>
216 <para>The mask is a value which expresses the access right
217 granted to the SID. It can be given as a decimal or hexadecimal value,
218 or by using one of the following text strings which map to the NT
219 file permissions of the same name. </para>
222 <listitem><para><emphasis>R</emphasis> - Allow read access </para></listitem>
223 <listitem><para><emphasis>W</emphasis> - Allow write access</para></listitem>
224 <listitem><para><emphasis>X</emphasis> - Execute permission on the object</para></listitem>
225 <listitem><para><emphasis>D</emphasis> - Delete the object</para></listitem>
226 <listitem><para><emphasis>P</emphasis> - Change permissions</para></listitem>
227 <listitem><para><emphasis>O</emphasis> - Take ownership</para></listitem>
231 <para>The following combined permissions can be specified:</para>
235 <listitem><para><emphasis>READ</emphasis> - Equivalent to 'RX'
236 permissions</para></listitem>
237 <listitem><para><emphasis>CHANGE</emphasis> - Equivalent to 'RXWD' permissions
239 <listitem><para><emphasis>FULL</emphasis> - Equivalent to 'RWXDPO'
240 permissions</para></listitem>
245 <title>EXIT STATUS</title>
247 <para>The <command>smbcacls</command> program sets the exit status
248 depending on the success or otherwise of the operations performed.
249 The exit status may be one of the following values. </para>
251 <para>If the operation succeeded, smbcacls returns and exit
252 status of 0. If <command>smbcacls</command> couldn't connect to the specified server,
253 or there was an error getting or setting the ACLs, an exit status
254 of 1 is returned. If there was an error parsing any command line
255 arguments, an exit status of 2 is returned. </para>
259 <title>VERSION</title>
261 <para>This man page is correct for version 3 of the Samba suite.</para>
265 <title>AUTHOR</title>
267 <para>The original Samba software and related utilities
268 were created by Andrew Tridgell. Samba is now developed
269 by the Samba Team as an Open Source project similar
270 to the way the Linux kernel is developed.</para>
272 <para><command>smbcacls</command> was written by Andrew Tridgell
273 and Tim Potter.</para>
275 <para>The conversion to DocBook for Samba 2.2 was done
276 by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done
277 by Alexander Bokovoy.</para>