smbcacls Command in Linux

Previous
Quiz
Next

The smbcacls command is a useful tool provided by the Samba suite, which is widely used to manage and share files and printers between Unix/Linux and Windows systems. smbcacls allows administrators to manage the access control lists (ACLs) on files and directories shared via the Server Message Block (SMB) protocol.

Table of Contents

Here is a comprehensive guide to the options available with the smbcacls command −

Understanding the smbcacls Command

Before using smbcacls, you need to install the Samba suite. The installation commands vary depending on your Linux distribution −

Debian / Ubuntu

sudo apt-get install samba

Red Hat / Fedora

sudo yum install samba

Arch Linux

sudo pacman -S samba

OpenSUSE

sudo zypper install samba

Syntax of smbcacls Command

The basic syntax of the smbcacls command is as follows −

smbcacls [options] {service} {filename}

Here, {service} refers to the SMB share, and {filename} refers to the file or directory within the share for which you want to manage the ACLs.

smbcacls Command Options

Let's explore some commonly used options with smbcacls

View ACLs

smbcacls -U [username] //[server]/[share] [filename]

Add a User/Group to ACL

smbcacls -U [username] //[server]/[share] [filename] -a [domain/user]:[rights]

Modify ACLs

smbcacls -U [username] //[server]/[share] [filename] -M [domain/user]:[rights]

Delete ACLs

smbcacls -U [username] //[server]/[share] [filename] -D [domain/user]

Set ACLs

smbcacls -U [username] //[server]/[share] [filename] -S [domain/user]:[rights]

Examples of smbcacls Command in Linux

Let's now take a look at some example scenarios followed by their detailed explanations.

  • Viewing ACLs
  • Adding a User/Group to ACL
  • Modifying ACLs
  • Deleting ACLs
  • Setting ACLs
  • Recursively Adding ACLs
  • Viewing ACLs in Machine Readable Format
  • Specifying Workgroup or Domain

Viewing ACLs

To view the ACLs of a specific file or directory within an SMB share, you can use the -U option to specify the username and provide the SMB share and filename −

smbcacls -U alice //server/share /path/to/file
smbcacls Command in Linux1

This command will prompt you for a password and then display the ACLs for the specified file or directory. The output will show the users and groups that have permissions on the file, along with their respective rights.

Adding a User/Group to ACL

To add a user or group to the ACL of a specific file or directory, you can use the -a option −

smbcacls -U alice //server/share /path/to/file -a "DOMAIN\bob:RWD"
smbcacls Command in Linux2

In this example, the user DOMAIN\bob is granted read (R), write (W), and delete (D) permissions on the specified file. The command will prompt you for a password and then update the ACL accordingly.

Modifying ACLs

To modify the ACLs of a specific file or directory, you can use the -M option −

smbcacls -U alice //server/share /path/to/file -M "DOMAIN\bob:RX"
smbcacls Command in Linux3

This command changes the permissions for DOMAIN\bob to read (R) and execute (X) on the specified file. The command will prompt you for a password and then update the ACL accordingly.

Deleting ACLs

To delete a user or group from the ACL of a specific file or directory, you can use the -D option −

smbcacls -U alice //server/share /path/to/file -D "DOMAIN\bob"
smbcacls Command in Linux4

This command removes DOMAIN\bob from the ACL of the specified file. The command will prompt you for a password and then update the ACL accordingly.

Setting ACLs

To set the ACLs of a specific file or directory, you can use the -S option. This option replaces the existing ACLs with the specified ACLs −

smbcacls -U alice //server/share /path/to/file -S "DOMAIN\alice:RW,DOMAIN\bob:R"
smbcacls Command in Linux5

This command sets the ACLs of the specified file so that DOMAIN\alice has read (R) and write (W) permissions, while DOMAIN\bob has only read (R) permission. The command will prompt you for a password and then update the ACL accordingly.

Detailed Explanation of Rights

The rights string used in the smbcacls command represents the permissions assigned to a user or group. Here are the possible rights and their meanings −

  • R (Read) − Grants the ability to read the contents of the file or directory.
  • W (Write) − Grants the ability to write to or modify the file or directory.
  • X (Execute) − Grants the ability to execute the file or access the directory.
  • D (Delete) − Grants the ability to delete the file or directory.
  • P (Change Permissions) − Grants the ability to change the permissions of the file or directory.
  • (Take Ownership) − Grants the ability to take ownership of the file or directory.

You can combine multiple rights by listing them together. For example, RWX grants read, write, and execute permissions.

Recursively Adding ACLs

To recursively add a user or group to the ACLs of a directory and all its subdirectories and files, you can use the -R option −

smbcacls -U alice //server/share /path/to/directory -a "DOMAIN\bob:RWX" -R
smbcacls Command in Linux6

This command grants DOMAIN\bob read, write, and execute permissions on the specified directory and all its contents. The command will prompt you for a password and then update the ACLs accordingly.

Viewing ACLs in Machine Readable Format

To view the ACLs of a file or directory in a machine-readable format, you can use the -g option −

smbcacls -U alice //server/share /path/to/file -g
smbcacls Command in Linux7

This command will display the ACLs in a format that is easier to parse programmatically, making it useful for automation and scripting.

Specifying Workgroup or Domain

If your SMB share is part of a specific workgroup or domain, you can specify it using the -W option −

smbcacls -U alice -W WORKGROUP //server/share /path/to/file
smbcacls Command in Linux8

This command specifies that alice is part of the WORKGROUP workgroup, ensuring that the correct credentials are used for accessing the SMB share.

Managing ACLs on Windows Shares from Linux

The smbcacls command is particularly useful for managing ACLs on Windows shares from a Linux system. For example, to manage the ACLs on a file shared from a Windows server, you can use the following command −

smbcacls -U alice //windows-server/share /path/to/file -a "DOMAIN\bob:RW"
smbcacls Command in Linux9

This command grants DOMAIN\bob read and write permissions on the specified file shared from the Windows server.

Automating ACL Management with Scripts

You can automate the management of ACLs using shell scripts. For example, to set ACLs on multiple files, you can create a script like this −

#!/bin/

USERNAME="alice"
SERVER="server"
SHARE="share"
DOMAIN="DOMAIN"
USER="bob"
RIGHTS="RW"

FILES=(
	"/path/to/file1"
	"/path/to/file2"
	"/path/to/file3"
)

for FILE in "${FILES[@]}"; do
    smbcacls -U $USERNAME //$SERVER/$SHARE $FILE -a "$DOMAIN\\$USER:$RIGHTS"
done

This script iterates over a list of files and grants DOMAIN\bob read and write permissions on each file. You can customize the script to suit your specific needs.

Conclusion

The smbcacls command is a powerful. This command provides a way to view and modify ACLs from the command line, making it an essential tool for managing permissions in a networked environment.

Print Page
Previous
Next
Advertisements