Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

1.10. Managing ACLs on an SMB share using smbcacls

The smbcacls utility can list, set, and delete ACLs of files and directories stored on an SMB share.

You can use smbcacls to manage file system ACLs:

  • On a local or remote Samba server that uses advanced Windows ACLs or POSIX ACLs
  • On Red Hat Enterprise Linux to remotely manage ACLs on a share hosted on Windows

1.10.1. Access control entries
复制链接

Access Control Entries (ACEs) define permissions, inheritance, and access rights for users and groups on files and directories. Understand ACE format and components to interpret and manage file system access using ACLs, especially in SMB environments.

Each ACL entry of a file system object contains Access ACE in the following format: 

security_principal:access_right/inheritance_information/permissions

例 1.3. Access control entries

If the AD\Domain Users group has Modify permissions that apply to This folder, subfolders, and files on Windows, the ACL contains the following ACE: 

AD\Domain Users:ALLOWED/OI|CI/CHANGE

An ACE contains the following parts:

Security principal
The security principal is the user, group, or SID the permissions in the ACL are applied to.
Access right
Defines if access to an object is granted or denied. The value can be ALLOWED or DENIED.
Inheritance information

The following values exist:

Expand
表 1.1. Inheritance settings
ValueDescriptionMaps to

OI

Object Inherit

This folder and files

CI

Container Inherit

This folder and subfolders

IO

Inherit Only

The ACE does not apply to the current file or directory

ID

Inherited

The ACE was inherited from the parent directory

Additionally, the values can be combined as follows:

Expand
表 1.2. Inheritance settings combinations
Value combinationsMaps to the Windows Applies to setting

OI|CI

This folder, subfolders, and files

OI|CI|IO

Subfolders and files only

CI|IO

Subfolders only

OI|IO

Files only

Permissions

This value can be either a hex value that represents one or more Windows permissions or an smbcacls alias:

  • A hex value that represents one or more Windows permissions.

    The following table displays the advanced Windows permissions and their corresponding value in hex format:

    Expand
    表 1.3. Windows permissions and their corresponding smbcacls value in hex format
    Windows permissionsHex values

    Full control

    0x001F01FF

    Traverse folder / execute file

    0x00100020

    List folder / read data

    0x00100001

    Read attributes

    0x00100080

    Read extended attributes

    0x00100008

    Create files / write data

    0x00100002

    Create folders / append data

    0x00100004

    Write attributes

    0x00100100

    Write extended attributes

    0x00100010

    Delete subfolders and files

    0x00100040

    Delete

    0x00110000

    Read permissions

    0x00120000

    Change permissions

    0x00140000

    Take ownership

    0x00180000

    Multiple permissions can be combined as a single hex value using the bit-wise OR operation. For details, see ACE mask calculation.

  • An smbcacls alias. The following table displays the available aliases:

    Expand
    表 1.4. Existing smbcacls aliases and their corresponding Windows permission
    smbcacls aliasMaps to Windows permission

    R

    Read

    READ

    Read & execute

    W

    Special:

    • Create files / write data
    • Create folders / append data
    • Write attributes
    • Write extended attributes
    • Read permissions

    D

    Delete

    P

    Change permissions

    O

    Take ownership

    X

    Traverse / execute

    CHANGE

    Modify

    FULL

    Full control

    注意

    You can combine single-letter aliases when you set permissions. For example, you can set RD to apply the Windows permission Read and Delete. However, you can neither combine multiple non-single-letter aliases nor combine aliases and hex values.

1.10.2. Displaying ACLs using smbcacls
复制链接

To display ACLs on an SMB share, use the smbcacls utility. If you run smbcacls without any operation parameter, such as --add, the utility displays the ACLs of a file system object.

Procedure

  • For example, to list the ACLs of the root directory of the //server/example share: 

    # smbcacls //server/example / -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:AD\Administrators
GROUP:AD\Domain Users
ACL:AD\Administrator:ALLOWED/OI|CI/FULL
ACL:AD\Domain Users:ALLOWED/OI|CI/CHANGE
ACL:AD\Domain Guests:ALLOWED/OI|CI/0x00100021

    The output of the command displays:

  • REVISION: The internal Windows NT ACL revision of the security descriptor
  • CONTROL: Security descriptor control
  • OWNER: Name or SID of the security descriptor’s owner
  • GROUP: Name or SID of the security descriptor’s group
  • ACL entries. For details, see Access control entries.

1.10.3. ACE mask calculation
复制链接

In most situations, when you add or update an ACE, you use the smbcacls aliases listed in Existing smbcacls aliases and their corresponding Windows permission.

However, if you want to set advanced Windows permissions as listed in Windows permissions and their corresponding smbcacls value in hex format, you must use the bit-wise OR operation to calculate the correct value. You can use the following shell command to calculate the value: 

# echo $(printf '0x%X' $(( hex_value_1 | hex_value_2 | ... )))

例 1.4. Calculating an ACE Mask

You want to set the following permissions:

  • Traverse folder / execute file (0x00100020)
  • List folder / read data (0x00100001)
  • Read attributes (0x00100080)

To calculate the hex value for the previous permissions, enter: 

# echo $(printf '0x%X' $(( 0x00100020 | 0x00100001 | 0x00100080 )))
0x1000A1

Use the returned value when you set or update an ACE.

Depending on the parameter you pass to the smbcacls utility, you can add, update, and remove ACLs from a file or directory.

Adding an ACL

To add an ACL to the root of the //server/example share that grants CHANGE permissions for This folder, subfolders, and files to the AD\Domain Users group: 

# smbcacls //server/example / -U "DOMAIN\administrator --add ACL:"AD\Domain Users":ALLOWED/OI|CI/CHANGE

Updating an ACL

Updating an ACL is similar to adding a new ACL. You update an ACL by overriding the ACL using the --modify parameter with an existing security principal. If smbcacls finds the security principal in the ACL list, the utility updates the permissions. Otherwise the command fails with an error: 

ACL for SID principal_name not found

For example, to update the permissions of the AD\Domain Users group and set them to READ for This folder, subfolders, and files: 

# smbcacls //server/example / -U "DOMAIN\administrator --modify ACL:"AD\Domain Users":ALLOWED/OI|CI/READ

Deleting an ACL

To delete an ACL, pass the --delete parameter with the exact ACL to the smbcacls utility. For example: 

# smbcacls //server/example / -U "DOMAIN\administrator --delete ACL:"AD\Domain Users":ALLOWED/OI|CI/READ
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部