table of contents
other versions
- wheezy 2:3.6.6-6+deb7u7
- wheezy-backports 2:4.1.17+dfsg-1~bpo70+1
- jessie 2:4.2.14+dfsg-0+deb8u5
- testing 2:4.5.8+dfsg-2
- unstable 2:4.5.8+dfsg-2
- experimental 2:4.6.5+dfsg-1
SMBCACLS(1) | User Commands | SMBCACLS(1) |
NAME¶
smbcacls - Set or get ACLs on an NT file or directory namesSYNOPSIS¶
smbcacls
{//server/share} {/filename} [-D|--delete acls] [-M|--modify acls]
[-a|--add acls] [-S|--set acls] [-C|--chown name]
[-G|--chgrp name] [-I allow|romove|copy] [--numeric] [-t]
[-U username] [-h] [-d]
DESCRIPTION¶
This tool is part of the samba(7) suite. The smbcacls program manipulates NT Access Control Lists (ACLs) on SMB file shares.OPTIONS¶
The following options are available to the smbcacls program. The format of ACLs is described in the section ACL FORMAT -a|--add aclsAdd the ACLs specified to the ACL list.
Existing access control entries are unchanged.
-M|--modify acls
Modify the mask value (permissions) for the
ACLs specified on the command line. An error will be printed for each ACL
specified that was not already present in the ACL list
-D|--delete acls
Delete any ACLs specified on the command line.
An error will be printed for each ACL specified that was not already present
in the ACL list.
-S|--set acls
This command sets the ACLs on the file with
only the ones specified on the command line. All other ACLs are erased. Note
that the ACL specified must contain at least a revision, type, owner and group
for the call to succeed.
-C|--chown name
The owner of a file or directory can be
changed to the name given using the -C option. The name can be a sid in
the form S-1-x-y-z or a name resolved against the server specified in the
first argument.
This command is a shortcut for -M OWNER:name.
-G|--chgrp name
The group owner of a file or directory can be
changed to the name given using the -G option. The name can be a sid in
the form S-1-x-y-z or a name resolved against the server specified n the first
argument.
This command is a shortcut for -M GROUP:name.
-I|--inherit allow|remove|copy
Set or unset the windows "Allow
inheritable permissions" check box using the -I option. To set the
check box pass allow. To unset the check box pass either remove or copy.
Remove will remove all inherited acls. Copy will copy all the inherited
acls.
--numeric
This option displays all ACL information in
numeric format. The default is to convert SIDs to names and ACE types and
masks to a readable string format.
-t|--test-args
Don´t actually do anything, only validate
the correctness of the arguments.
-h|--help
Print a summary of command line options.
-d|--debuglevel=level
level is an integer from 0 to 10. The
default value if this parameter is not specified is 0.
The higher this value, the more detail will be logged to the log files about the
activities of the server. At level 0, only critical errors and serious
warnings will be logged. Level 1 is a reasonable level for day-to-day running
- it generates a small amount of information about operations carried out.
Levels above 1 will generate considerable amounts of log data, and should only
be used when investigating a problem. Levels above 3 are designed for use only
by developers and generate HUGE amounts of log data, most of which is
extremely cryptic.
Note that specifying this parameter here will override the
smb.conf.5.html# parameter in the smb.conf file.
-V|--version
Prints the program version number.
-s|--configfile <configuration file>
The file specified contains the configuration
details required by the server. The information in this file includes
server-specific information such as what printcap file to use, as well as
descriptions of all the services that the server is to provide. See smb.conf
for more information. The default configuration file name is determined at
compile time.
-l|--log-basename=logdirectory
Base directory name for log/debug files. The
extension ".progname" will be appended (e.g. log.smbclient,
log.smbd, etc...). The log file is never removed by the client.
-N|--no-pass
If specified, this parameter suppresses the
normal password prompt from the client to the user. This is useful when
accessing a service that does not require a password.
Unless a password is specified on the command line or this parameter is
specified, the client will request a password.
If a password is specified on the command line and this option is also defined
the password on the command line will be silently ingnored and no password
will be used.
-k|--kerberos
Try to authenticate with kerberos. Only useful
in an Active Directory environment.
-C|--use-ccache
Try to use the credentials cached by
winbind.
-A|--authentication-file=filename
This option allows you to specify a file from
which to read the username and password used in the connection. The format of
the file is
Make certain that the permissions on the file restrict access from unwanted
users.
-U|--user=username[%password]
username = <value> password = <value> domain = <value>
Sets the SMB username or username and
password.
If %password is not specified, the user will be prompted. The client will first
check the USER environment variable, then the LOGNAME variable
and if either exists, the string is uppercased. If these environmental
variables are not found, the username GUEST is used.
A third option is to use a credentials file which contains the plaintext of the
username and password. This option is mainly provided for scripts where the
admin does not wish to pass the credentials on the command line or via
environment variables. If this method is used, make certain that the
permissions on the file restrict access from unwanted users. See the -A
for more details.
Be cautious about including passwords in scripts. Also, on many systems the
command line of a running process may be seen via the ps command. To be safe
always allow rpcclient to prompt for a password and type it in directly.
ACL FORMAT¶
The format of an ACL is one or more ACL entries separated by either commas or newlines. An ACL entry is one of the following:REVISION:<revision number> OWNER:<sid or name> GROUP:<sid or name> ACL:<sid or name>:<type>/<flags>/<mask>
•#define SEC_ACE_FLAG_OBJECT_INHERIT
0x1
•#define
SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
•#define
SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
•#define SEC_ACE_FLAG_INHERIT_ONLY
0x8
•R - Allow read access
•W - Allow write access
•X - Execute permission on the
object
•D - Delete the object
•P - Change permissions
•O - Take ownership
•READ - Equivalent to
´RX´ permissions
•CHANGE - Equivalent to
´RXWD´ permissions
•FULL - Equivalent to
´RWXDPO´ permissions
EXIT STATUS¶
The smbcacls program sets the exit status depending on the success or otherwise of the operations performed. The exit status may be one of the following values. If the operation succeeded, smbcacls returns and exit status of 0. If smbcacls couldn´t connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned. If there was an error parsing any command line arguments, an exit status of 2 is returned.VERSION¶
This man page is correct for version 3 of the Samba suite.AUTHOR¶
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. smbcacls was written by Andrew Tridgell and Tim Potter. The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.06/22/2012 | Samba 3.6 |