Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

1.10. Managing ACLs on an SMB share using smbcacls

The smbcacls utility can list, set, and delete ACLs of files and directories stored on an SMB share.

You can use smbcacls to manage file system ACLs:

  • On a local or remote Samba server that uses advanced Windows ACLs or POSIX ACLs
  • On Red Hat Enterprise Linux to remotely manage ACLs on a share hosted on Windows

1.10.1. Access control entries
リンクのコピー

Access Control Entries (ACEs) define permissions, inheritance, and access rights for users and groups on files and directories. Understand ACE format and components to interpret and manage file system access using ACLs, especially in SMB environments.

Each ACL entry of a file system object contains Access ACE in the following format: 

security_principal:access_right/inheritance_information/permissions

例1.3 Access control entries

If the AD\Domain Users group has Modify permissions that apply to This folder, subfolders, and files on Windows, the ACL contains the following ACE: 

AD\Domain Users:ALLOWED/OI|CI/CHANGE

An ACE contains the following parts:

Security principal
The security principal is the user, group, or SID the permissions in the ACL are applied to.
Access right
Defines if access to an object is granted or denied. The value can be ALLOWED or DENIED.
Inheritance information

The following values exist:

Expand
表1.1 Inheritance settings
ValueDescriptionMaps to

OI

Object Inherit

This folder and files

CI

Container Inherit

This folder and subfolders

IO

Inherit Only

The ACE does not apply to the current file or directory

ID

Inherited

The ACE was inherited from the parent directory

Additionally, the values can be combined as follows:

Expand
表1.2 Inheritance settings combinations
Value combinationsMaps to the Windows Applies to setting

OI|CI

This folder, subfolders, and files

OI|CI|IO

Subfolders and files only

CI|IO

Subfolders only

OI|IO

Files only

Permissions

This value can be either a hex value that represents one or more Windows permissions or an smbcacls alias:

  • A hex value that represents one or more Windows permissions.

    The following table displays the advanced Windows permissions and their corresponding value in hex format:

    Expand
    表1.3 Windows permissions and their corresponding smbcacls value in hex format
    Windows permissionsHex values

    Full control

    0x001F01FF

    Traverse folder / execute file

    0x00100020

    List folder / read data

    0x00100001

    Read attributes

    0x00100080

    Read extended attributes

    0x00100008

    Create files / write data

    0x00100002

    Create folders / append data

    0x00100004

    Write attributes

    0x00100100

    Write extended attributes

    0x00100010

    Delete subfolders and files

    0x00100040

    Delete

    0x00110000

    Read permissions

    0x00120000

    Change permissions

    0x00140000

    Take ownership

    0x00180000

    Multiple permissions can be combined as a single hex value using the bit-wise OR operation. For details, see ACE mask calculation.

  • An smbcacls alias. The following table displays the available aliases:

    Expand
    表1.4 Existing smbcacls aliases and their corresponding Windows permission
    smbcacls aliasMaps to Windows permission

    R

    Read

    READ

    Read & execute

    W

    Special:

    • Create files / write data
    • Create folders / append data
    • Write attributes
    • Write extended attributes
    • Read permissions

    D

    Delete

    P

    Change permissions

    O

    Take ownership

    X

    Traverse / execute

    CHANGE

    Modify

    FULL

    Full control

    注記

    You can combine single-letter aliases when you set permissions. For example, you can set RD to apply the Windows permission Read and Delete. However, you can neither combine multiple non-single-letter aliases nor combine aliases and hex values.

1.10.2. Displaying ACLs using smbcacls
リンクのコピー

To display ACLs on an SMB share, use the smbcacls utility. If you run smbcacls without any operation parameter, such as --add, the utility displays the ACLs of a file system object.

Procedure

  • For example, to list the ACLs of the root directory of the //server/example share: 

    # smbcacls //server/example / -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:AD\Administrators
GROUP:AD\Domain Users
ACL:AD\Administrator:ALLOWED/OI|CI/FULL
ACL:AD\Domain Users:ALLOWED/OI|CI/CHANGE
ACL:AD\Domain Guests:ALLOWED/OI|CI/0x00100021

    The output of the command displays:

  • REVISION: The internal Windows NT ACL revision of the security descriptor
  • CONTROL: Security descriptor control
  • OWNER: Name or SID of the security descriptor’s owner
  • GROUP: Name or SID of the security descriptor’s group
  • ACL entries. For details, see Access control entries.

1.10.3. ACE mask calculation
リンクのコピー

In most situations, when you add or update an ACE, you use the smbcacls aliases listed in Existing smbcacls aliases and their corresponding Windows permission.

However, if you want to set advanced Windows permissions as listed in Windows permissions and their corresponding smbcacls value in hex format, you must use the bit-wise OR operation to calculate the correct value. You can use the following shell command to calculate the value: 

# echo $(printf '0x%X' $(( hex_value_1 | hex_value_2 | ... )))

例1.4 Calculating an ACE Mask

You want to set the following permissions:

  • Traverse folder / execute file (0x00100020)
  • List folder / read data (0x00100001)
  • Read attributes (0x00100080)

To calculate the hex value for the previous permissions, enter: 

# echo $(printf '0x%X' $(( 0x00100020 | 0x00100001 | 0x00100080 )))
0x1000A1

Use the returned value when you set or update an ACE.

1.10.4. Adding, updating, and removing an ACL using smbcacls
リンクのコピー

Depending on the parameter you pass to the smbcacls utility, you can add, update, and remove ACLs from a file or directory.

Adding an ACL

To add an ACL to the root of the //server/example share that grants CHANGE permissions for This folder, subfolders, and files to the AD\Domain Users group: 

# smbcacls //server/example / -U "DOMAIN\administrator --add ACL:"AD\Domain Users":ALLOWED/OI|CI/CHANGE

Updating an ACL

Updating an ACL is similar to adding a new ACL. You update an ACL by overriding the ACL using the --modify parameter with an existing security principal. If smbcacls finds the security principal in the ACL list, the utility updates the permissions. Otherwise the command fails with an error: 

ACL for SID principal_name not found

For example, to update the permissions of the AD\Domain Users group and set them to READ for This folder, subfolders, and files: 

# smbcacls //server/example / -U "DOMAIN\administrator --modify ACL:"AD\Domain Users":ALLOWED/OI|CI/READ

Deleting an ACL

To delete an ACL, pass the --delete parameter with the exact ACL to the smbcacls utility. For example: 

# smbcacls //server/example / -U "DOMAIN\administrator --delete ACL:"AD\Domain Users":ALLOWED/OI|CI/READ
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2026 Red Hatトップに戻る