Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SMBCACLS(1)			 User Commands			   SMBCACLS(1)

NAME
       smbcacls	- Set or get ACLs on an	NT file	or directory names

SYNOPSIS
       smbcacls	{//server/share} {/filename} [-D|--delete acl]
	[-M|--modify acl] [-a|--add acl] [-S|--set acl]	[-C|--chown name]
	[-G|--chgrp name] [-I allow|remove|copy] [--numeric] [-t]
	[-U username] [-d] [-e]	[-m|--max-protocol LEVEL]
	[--query-security-info FLAGS] [--set-security-info FLAGS] [--sddl]
	[--domain-sid SID]

DESCRIPTION
       This tool is part of the	samba(7) suite.

       The smbcacls program manipulates	NT Access Control Lists	(ACLs) on SMB
       file shares. An ACL is comprised	zero or	more Access Control Entries
       (ACEs), which define access restrictions	for a specific user or group.

OPTIONS
       The following options are available to the smbcacls program. The	format
       of ACLs is described in the section ACL FORMAT

       -a|--add	acl
	   Add the entries specified to	the ACL. Existing access control
	   entries are unchanged.

       -M|--modify acl
	   Modify the mask value (permissions) for the ACEs specified on the
	   command line. An error will be printed for each ACE specified that
	   was not already present in the object's ACL.

       -D|--delete acl
	   Delete any ACEs specified on	the command line. An error will	be
	   printed for each ACE	specified that was not already present in the
	   object's ACL.

       -S|--set	acl
	   This	command	sets the ACL on	the object with	only what is specified
	   on the command line.	Any existing ACL is erased. Note that the ACL
	   specified must contain at least a revision, type, owner and group
	   for the call	to succeed.

       -C|--chown name
	   The owner of	a file or directory can	be changed to the name given
	   using the -C	option.	The name can be	a sid in the form S-1-x-y-z or
	   a name resolved against the server specified	in the first argument.

	   This	command	is a shortcut for -M OWNER:name.

       -G|--chgrp name
	   The group owner of a	file or	directory can be changed to the	name
	   given using the -G option. The name can be a	sid in the form
	   S-1-x-y-z or	a name resolved	against	the server specified n the
	   first argument.

	   This	command	is a shortcut for -M GROUP:name.

       -I|--inherit allow|remove|copy
	   Set or unset	the windows "Allow inheritable permissions" check box
	   using the -I	option.	To set the check box pass allow. To unset the
	   check box pass either remove	or copy. Remove	will remove all
	   inherited acls. Copy	will copy all the inherited acls.

       --numeric
	   This	option displays	all ACL	information in numeric format. The
	   default is to convert SIDs to names and ACE types and masks to a
	   readable string format.

       -m|--max-protocol PROTOCOL_NAME
	   This	allows the user	to select the highest SMB protocol level that
	   smbcacls will use to	connect	to the server. By default this is set
	   to NT1, which is the	highest	available SMB1 protocol. To connect
	   using SMB2 or SMB3 protocol,	use the	strings	SMB2 or	SMB3
	   respectively. Note that to connect to a Windows 2012	server with
	   encrypted transport selecting a max-protocol	of SMB3	is required.

       -t|--test-args
	   Don't actually do anything, only validate the correctness of	the
	   arguments.

       --query-security-info FLAGS
	   The security-info flags for queries.

       --set-security-info FLAGS
	   The security-info flags for queries.

       --sddl
	   Output and input acls in sddl format.

       --domain-sid SID
	   SID used for	sddl processing.

ACL FORMAT
       The format of an	ACL is one or more entries separated by	either commas
       or newlines. An ACL entry is one	of the following:

	   REVISION:<revision number>
	   OWNER:<sid or name>
	   GROUP:<sid or name>
	   ACL:<sid or name>:<type>/<flags>/<mask>

       The revision of the ACL specifies the internal Windows NT ACL revision
       for the security	descriptor. If not specified it	defaults to 1. Using
       values other than 1 may cause strange behaviour.

       The owner and group specify the owner and group sids for	the object. If
       a SID in	the format S-1-x-y-z is	specified this is used,	otherwise the
       name specified is resolved using	the server on which the	file or
       directory resides.

       ACEs are	specified with an "ACL:" prefix, and define permissions
       granted to an SID. The SID again	can be specified in S-1-x-y-z format
       or as a name in which case it is	resolved against the server on which
       the file	or directory resides. The type,	flags and mask values
       determine the type of access granted to the SID.

       The type	can be either ALLOWED or DENIED	to allow/deny access to	the
       SID. The	flags values are generally zero	for file ACEs and either 9 or
       2 for directory ACEs. Some common flags are:

       o   #define SEC_ACE_FLAG_OBJECT_INHERIT 0x1

       o   #define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2

       o   #define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4

       o   #define SEC_ACE_FLAG_INHERIT_ONLY 0x8

       At present, flags can only be specified as decimal or hexadecimal
       values.

       The mask	is a value which expresses the access right granted to the
       SID. It can be given as a decimal or hexadecimal	value, or by using one
       of the following	text strings which map to the NT file permissions of
       the same	name.

       o   R - Allow read access

       o   W - Allow write access

       o   X - Execute permission on the object

       o   D - Delete the object

       o   P - Change permissions

       o   O - Take ownership

       The following combined permissions can be specified:

       o   READ	- Equivalent to	'RX' permissions

       o   CHANGE - Equivalent to 'RXWD' permissions

       o   FULL	- Equivalent to	'RWXDPO' permissions

EXIT STATUS
       The smbcacls program sets the exit status depending on the success or
       otherwise of the	operations performed. The exit status may be one of
       the following values.

       If the operation	succeeded, smbcacls returns and	exit status of 0. If
       smbcacls	couldn't connect to the	specified server, or there was an
       error getting or	setting	the ACLs, an exit status of 1 is returned. If
       there was an error parsing any command line arguments, an exit status
       of 2 is returned.

VERSION
       This man	page is	correct	for version 4 of the Samba suite.

AUTHOR
       The original Samba software and related utilities were created by
       Andrew Tridgell.	Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

       smbcacls	was written by Andrew Tridgell and Tim Potter.

       The conversion to DocBook for Samba 2.2 was done	by Gerald Carter. The
       conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander
       Bokovoy.

Samba 4.6			  05/23/2017			   SMBCACLS(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | ACL FORMAT | EXIT STATUS | VERSION | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=smbcacls&sektion=1&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help