smbcacls

Display the ACLs for a file or directory on a remote SMB share

$ smbcacls //[server]/[share] [path/to/file_or_directory] --user [domain\\username]%[password]

$ smbcacls //[server]/[share] [path/to/file] --user [domain\\username]%[password] "ACL:[DACL]"

$ smbcacls //[server]/[share] [path/to/file] --user [domain\\username]%[password] "RESET" "ACL:[DACL]"

$ smbcacls //[server]/[share] [path/to/file] --user [username] --workgroup [workgroup]

smbcacls //server/share [options] [ACL_expression]

//server/share
    The target SMB/CIFS share URL, specifying the server and share name (e.g., //myserver/myshare).


    The path to the file or directory on the specified share (e.g., /path/to/file.txt or /directory/).

-U username[%password], --user=username[%password]
    Specifies the username and an optional password for authentication to the Samba server.

-W workgroup, --workgroup=workgroup
    Specifies the workgroup or domain to authenticate against when connecting to the server.

-N, --no-pass
    Suppresses the password prompt, useful for scripting when no password is required or provided through other means.

-A ACL_expression, --add=ACL_expression
    Adds an Access Control Entry (ACE) to the existing ACL. The ACL_expression defines the permissions to add.

-M ACL_expression, --modify=ACL_expression
    Modifies an existing Access Control Entry (ACE) in the ACL. The ACL_expression specifies the entry to modify.

-D ACL_expression, --delete=ACL_expression
    Deletes an Access Control Entry (ACE) from the ACL. Specify the exact ACL_expression to remove.

-S ACL_expression, --set=ACL_expression
    Sets (replaces) all existing ACL entries on the target with the specified ACL_expression. This command is destructive and removes all previous ACLs.

-C owner, --chown=owner
    Changes the owner of the specified file or directory to the given Windows SID or user name.

-O group, --chgrp=group
    Changes the primary group of the specified file or directory to the given Windows SID or group name.

-v, --verbose
    Increases the verbosity of output, providing more detailed information about operations.

-h, --help
    Displays a brief help message and exits.

smbcacls is a command-line utility from the Samba suite that allows administrators to view, set, and delete Windows NT-style Access Control Lists (ACLs) on files and directories located on SMB/CIFS network shares. It provides a powerful interface for fine-grained permission management, replicating the functionality of Windows' security tab for networked resources. This tool is essential for environments where granular access control is required over files served by Samba, enabling precise control over who can access, modify, or execute shared resources, mirroring the security model prevalent in Windows-based networks. It directly interacts with the Samba server to manipulate security descriptors over the SMB protocol.

Using the -S (set) option is a highly destructive operation as it overwrites all existing ACLs on the target, potentially removing crucial permissions; use with extreme caution.
Effective use of smbcacls requires a solid understanding of Windows NT-style ACL syntax and how permissions are inherited and applied.
The underlying file system on the Samba server must support storing or mapping NT ACLs (e.g., certain Linux filesystems with extended attributes or specific Samba VFS modules) for ACL changes to be persistent and meaningful.

The ACL_expression used with options like -A, -M, -D, and -S follows a specific format for defining Access Control Entries (ACEs). This typically includes the Security Identifier (SID) of the trustee (user or group), the ACE type (e.g., ALLOW or DENY), specific permissions (e.g., 'F' for Full Control, 'R' for Read), and inheritance flags (e.g., 'CI' for Container Inherit, 'OI' for Object Inherit).
For example, 'RE:D:(A)(CI)(OI)F' might represent 'Revoke (RE) access for Everyone (D) with full control (F), inheritable to containers (CI) and objects (OI).' Detailed syntax can be found in Samba documentation.

smbcacls manipulates Windows NT-style Security Descriptors. These are fundamental data structures that define the security information for securable objects on a Windows system (and by extension, on Samba shares). A Security Descriptor contains information about the object's owner, primary group, a Discretionary Access Control List (DACL), and an optional System Access Control List (SACL). smbcacls primarily works with the DACL portion to manage user and group permissions.

smbcacls is an integral part of the Samba project, which began in 1992 to provide SMB/CIFS file and print services for Unix-like systems. As Microsoft Windows NT introduced sophisticated Access Control Lists (ACLs), Samba evolved to support these security features. smbcacls was developed to provide command-line management for these NT ACLs, enabling administrators to manage shared resource permissions from Linux/Unix environments, mirroring the capabilities of Windows security management tools, and extending Samba's interoperability with Windows networks.

smbclient(1), smbpasswd(8), net(8), samba(7), getcifsacl(1), setcifsacl(1)