setcifsacl

setcifsacl [-D domain] [-U user[%password]] [-I ip-address] [-s server] [-m mapping-file] [-b] [-q] [-a|-x|-c] ACE file ...

-D domain
    Specifies the Windows domain name.

-U user[%password]
    Specifies the user name and optionally the password for authentication.

-I ip-address
    Specifies the IP address of the server.

-s server
    Specifies the server name.

-m mapping-file
    Specifies a file containing user/group mappings between Unix and Windows accounts.

-b
    Backup existing ACLs before modification.

-q
    Quiet mode; suppresses informational messages.

-a ACE
    Adds an Access Control Entry (ACE) to the ACL.
ACE must be a string in the correct format. See manual for ACE syntax.

-x ACE
    Removes an Access Control Entry (ACE) from the ACL.
ACE must be a string in the correct format. See manual for ACE syntax.

-c ACE
    Replaces an Access Control Entry (ACE) in the ACL.
ACE must be a string in the correct format. See manual for ACE syntax.

file ...
    Specifies the files or directories to modify.

The setcifsacl command is used to set Access Control Lists (ACLs) on files and directories shared via the Common Internet File System (CIFS) protocol (typically used for Samba shares).
It allows administrators to precisely control permissions for users and groups accessing files and directories served from a Linux server via SMB. This command provides more granular permission control than basic Unix permissions, enabling features like inheritance and specific access rights (read, write, execute, etc.) for individual users or groups. This is crucial for managing access in mixed environments where both Windows and Linux systems interact.
Improper use may lead to security vulnerabilities, making it essential to understand the parameters and their implications.

Requires appropriate Samba configuration and Kerberos setup for seamless integration with Windows domains.
Incorrect ACE specifications can lock users out or create security holes.

The ACE (Access Control Entry) syntax is crucial for correctly setting CIFS ACLs. It defines the user or group, the permissions granted, and other flags like inheritance.
The general form often involves specifying the type of ACE (allow or deny), the user or group, the permissions mask, and any flags.
Consult the setcifsacl manual page or Samba documentation for the precise syntax details, as it can vary depending on the Samba version and configuration.

The mapping file (-m option) helps reconcile differences between Unix user/group IDs and Windows SIDs.
It provides a way to map Linux users and groups to corresponding Windows accounts, ensuring that permissions are applied correctly across platforms. A well-configured mapping file is vital for seamless CIFS integration.

getcifsacl(1), smbcacls(1), samba(7)