| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smbcacls</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smbcacls.1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smbcacls — Set or get ACLs on an NT file or directory names</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">smbcacls</code> {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]</p></div></div><div class="refsect1" lang="en"><a name="id259605"></a><h2>DESCRIPTION</h2><p>This tool is part of the <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a> suite.</p><p>The <span><strong class="command">smbcacls</strong></span> program manipulates NT Access Control |
|---|
| 2 | Lists (ACLs) on SMB file shares. </p></div><div class="refsect1" lang="en"><a name="id259382"></a><h2>OPTIONS</h2><p>The following options are available to the <span><strong class="command">smbcacls</strong></span> program. |
|---|
| 3 | The format of ACLs is described in the section ACL FORMAT </p><div class="variablelist"><dl><dt><span class="term">-a acls</span></dt><dd><p>Add the ACLs specified to the ACL list. Existing |
|---|
| 4 | access control entries are unchanged. </p></dd><dt><span class="term">-M acls</span></dt><dd><p>Modify the mask value (permissions) for the ACLs |
|---|
| 5 | specified on the command line. An error will be printed for each |
|---|
| 6 | ACL specified that was not already present in the ACL list |
|---|
| 7 | </p></dd><dt><span class="term">-D acls</span></dt><dd><p>Delete any ACLs specified on the command line. |
|---|
| 8 | An error will be printed for each ACL specified that was not |
|---|
| 9 | already present in the ACL list. </p></dd><dt><span class="term">-S acls</span></dt><dd><p>This command sets the ACLs on the file with |
|---|
| 10 | only the ones specified on the command line. All other ACLs are |
|---|
| 11 | erased. Note that the ACL specified must contain at least a revision, |
|---|
| 12 | type, owner and group for the call to succeed. </p></dd><dt><span class="term">-U username</span></dt><dd><p>Specifies a username used to connect to the |
|---|
| 13 | specified service. The username may be of the form "username" in |
|---|
| 14 | which case the user is prompted to enter in a password and the |
|---|
| 15 | workgroup specified in the <a href="smb.conf.5.html"><span class="citerefentry"><span class="refentrytitle">smb.conf</span>(5)</span></a> file is |
|---|
| 16 | used, or "username%password" or "DOMAIN\username%password" and the |
|---|
| 17 | password and workgroup names are used as provided. </p></dd><dt><span class="term">-C name</span></dt><dd><p>The owner of a file or directory can be changed |
|---|
| 18 | to the name given using the <em class="parameter"><code>-C</code></em> option. |
|---|
| 19 | The name can be a sid in the form S-1-x-y-z or a name resolved |
|---|
| 20 | against the server specified in the first argument. </p><p>This command is a shortcut for -M OWNER:name. |
|---|
| 21 | </p></dd><dt><span class="term">-G name</span></dt><dd><p>The group owner of a file or directory can |
|---|
| 22 | be changed to the name given using the <em class="parameter"><code>-G</code></em> |
|---|
| 23 | option. The name can be a sid in the form S-1-x-y-z or a name |
|---|
| 24 | resolved against the server specified n the first argument. |
|---|
| 25 | </p><p>This command is a shortcut for -M GROUP:name.</p></dd><dt><span class="term">--numeric</span></dt><dd><p>This option displays all ACL information in numeric |
|---|
| 26 | format. The default is to convert SIDs to names and ACE types |
|---|
| 27 | and masks to a readable string format. </p></dd><dt><span class="term">-t</span></dt><dd><p> |
|---|
| 28 | Don't actually do anything, only validate the correctness of |
|---|
| 29 | the arguments. |
|---|
| 30 | </p></dd><dt><span class="term">-h|--help</span></dt><dd><p>Print a summary of command line options. |
|---|
| 31 | </p></dd><dt><span class="term">-V</span></dt><dd><p>Prints the program version number. |
|---|
| 32 | </p></dd><dt><span class="term">-s <configuration file></span></dt><dd><p>The file specified contains the |
|---|
| 33 | configuration details required by the server. The |
|---|
| 34 | information in this file includes server-specific |
|---|
| 35 | information such as what printcap file to use, as well |
|---|
| 36 | as descriptions of all the services that the server is |
|---|
| 37 | to provide. See <code class="filename">smb.conf</code> for more information. |
|---|
| 38 | The default configuration file name is determined at |
|---|
| 39 | compile time.</p></dd><dt><span class="term">-d|--debuglevel=level</span></dt><dd><p><em class="replaceable"><code>level</code></em> is an integer |
|---|
| 40 | from 0 to 10. The default value if this parameter is |
|---|
| 41 | not specified is zero.</p><p>The higher this value, the more detail will be |
|---|
| 42 | logged to the log files about the activities of the |
|---|
| 43 | server. At level 0, only critical errors and serious |
|---|
| 44 | warnings will be logged. Level 1 is a reasonable level for |
|---|
| 45 | day-to-day running - it generates a small amount of |
|---|
| 46 | information about operations carried out.</p><p>Levels above 1 will generate considerable |
|---|
| 47 | amounts of log data, and should only be used when |
|---|
| 48 | investigating a problem. Levels above 3 are designed for |
|---|
| 49 | use only by developers and generate HUGE amounts of log |
|---|
| 50 | data, most of which is extremely cryptic.</p><p>Note that specifying this parameter here will |
|---|
| 51 | override the <a class="indexterm" name="id260163"></a> parameter |
|---|
| 52 | in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term">-l|--logfile=logdirectory</span></dt><dd><p>Base directory name for log/debug files. The extension |
|---|
| 53 | <code class="constant">".progname"</code> will be appended (e.g. log.smbclient, |
|---|
| 54 | log.smbd, etc...). The log file is never removed by the client. |
|---|
| 55 | </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id260196"></a><h2>ACL FORMAT</h2><p>The format of an ACL is one or more ACL entries separated by |
|---|
| 56 | either commas or newlines. An ACL entry is one of the following: </p><pre class="programlisting"> |
|---|
| 57 | REVISION:<revision number> |
|---|
| 58 | OWNER:<sid or name> |
|---|
| 59 | GROUP:<sid or name> |
|---|
| 60 | ACL:<sid or name>:<type>/<flags>/<mask> |
|---|
| 61 | </pre><p>The revision of the ACL specifies the internal Windows |
|---|
| 62 | NT ACL revision for the security descriptor. |
|---|
| 63 | If not specified it defaults to 1. Using values other than 1 may |
|---|
| 64 | cause strange behaviour. </p><p>The owner and group specify the owner and group sids for the |
|---|
| 65 | object. If a SID in the format S-1-x-y-z is specified this is used, |
|---|
| 66 | otherwise the name specified is resolved using the server on which |
|---|
| 67 | the file or directory resides. </p><p>ACLs specify permissions granted to the SID. This SID again |
|---|
| 68 | can be specified in S-1-x-y-z format or as a name in which case |
|---|
| 69 | it is resolved against the server on which the file or directory |
|---|
| 70 | resides. The type, flags and mask values determine the type of |
|---|
| 71 | access granted to the SID. </p><p>The type can be either 0 or 1 corresponding to ALLOWED or |
|---|
| 72 | DENIED access to the SID. The flags values are generally |
|---|
| 73 | zero for file ACLs and either 9 or 2 for directory ACLs. Some |
|---|
| 74 | common flags are: </p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1</code></p></li><li><p><code class="constant">#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2</code></p></li><li><p><code class="constant">#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4</code></p></li><li><p><code class="constant">#define SEC_ACE_FLAG_INHERIT_ONLY 0x8</code></p></li></ul></div><p>At present flags can only be specified as decimal or |
|---|
| 75 | hexadecimal values.</p><p>The mask is a value which expresses the access right |
|---|
| 76 | granted to the SID. It can be given as a decimal or hexadecimal value, |
|---|
| 77 | or by using one of the following text strings which map to the NT |
|---|
| 78 | file permissions of the same name. </p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>R</em></span> - Allow read access </p></li><li><p><span class="emphasis"><em>W</em></span> - Allow write access</p></li><li><p><span class="emphasis"><em>X</em></span> - Execute permission on the object</p></li><li><p><span class="emphasis"><em>D</em></span> - Delete the object</p></li><li><p><span class="emphasis"><em>P</em></span> - Change permissions</p></li><li><p><span class="emphasis"><em>O</em></span> - Take ownership</p></li></ul></div><p>The following combined permissions can be specified:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>READ</em></span> - Equivalent to 'RX' |
|---|
| 79 | permissions</p></li><li><p><span class="emphasis"><em>CHANGE</em></span> - Equivalent to 'RXWD' permissions |
|---|
| 80 | </p></li><li><p><span class="emphasis"><em>FULL</em></span> - Equivalent to 'RWXDPO' |
|---|
| 81 | permissions</p></li></ul></div></div><div class="refsect1" lang="en"><a name="id300566"></a><h2>EXIT STATUS</h2><p>The <span><strong class="command">smbcacls</strong></span> program sets the exit status |
|---|
| 82 | depending on the success or otherwise of the operations performed. |
|---|
| 83 | The exit status may be one of the following values. </p><p>If the operation succeeded, smbcacls returns and exit |
|---|
| 84 | status of 0. If <span><strong class="command">smbcacls</strong></span> couldn't connect to the specified server, |
|---|
| 85 | or there was an error getting or setting the ACLs, an exit status |
|---|
| 86 | of 1 is returned. If there was an error parsing any command line |
|---|
| 87 | arguments, an exit status of 2 is returned. </p></div><div class="refsect1" lang="en"><a name="id300595"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id300605"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities |
|---|
| 88 | were created by Andrew Tridgell. Samba is now developed |
|---|
| 89 | by the Samba Team as an Open Source project similar |
|---|
| 90 | to the way the Linux kernel is developed.</p><p><span><strong class="command">smbcacls</strong></span> was written by Andrew Tridgell |
|---|
| 91 | and Tim Potter.</p><p>The conversion to DocBook for Samba 2.2 was done |
|---|
| 92 | by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done |
|---|
| 93 | by Alexander Bokovoy.</p></div></div></body></html> |
|---|
