1 files changed, 0 insertions, 1044 deletions
diff --git a/net/samba419/files/man/smbcacls.1 b/net/samba419/files/man/smbcacls.1
deleted file mode 100644
index b3cf79acd71b..000000000000
--- a/net/samba419/files/man/smbcacls.1
+++ /dev/null
@@ -1,1044 +0,0 @@
-'\" t
-.\"     Title: smbcacls
-.\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 08/09/2022
-.\"    Manual: User Commands
-.\"    Source: Samba 4.16.4
-.\"  Language: English
-.\"
-.TH "SMBCACLS" "1" "08/09/2022" "Samba 4\&.16\&.4" "User Commands"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-smbcacls \- Set or get ACLs on an NT file or directory names
-.SH "SYNOPSIS"
-.HP \w'\ 'u
-smbcacls {//server/share} {/filename} [\-D|\-\-delete=ACL] [\-M|\-\-modify=ACL] [\-a|\-\-add=ACL] [\-S|\-\-set=ACLS] [\-C|\-\-chown=USERNAME] [\-G|\-\-chgrp=GROUPNAME] [\-I|\-\-inherit=STRING] [\-\-propagate\-inheritance] [\-\-numeric] [\-\-sddl] [\-\-query\-security\-info=INT] [\-\-set\-security\-info=INT] [\-t|\-\-test\-args] [\-\-domain\-sid=SID] [\-x|\-\-maximum\-access] [\-?|\-\-help] [\-\-usage] [\-d|\-\-debuglevel=DEBUGLEVEL] [\-\-debug\-stdout] [\-\-configfile=CONFIGFILE] [\-\-option=name=value] [\-l|\-\-log\-basename=LOGFILEBASE] [\-\-leak\-report] [\-\-leak\-report\-full] [\-R|\-\-name\-resolve=NAME\-RESOLVE\-ORDER] [\-O|\-\-socket\-options=SOCKETOPTIONS] [\-m|\-\-max\-protocol=MAXPROTOCOL] [\-n|\-\-netbiosname=NETBIOSNAME] [\-\-netbios\-scope=SCOPE] [\-W|\-\-workgroup=WORKGROUP] [\-\-realm=REALM] [\-U|\-\-user=[DOMAIN/]USERNAME[%PASSWORD]] [\-N|\-\-no\-pass] [\-\-password=STRING] [\-\-pw\-nt\-hash] [\-A|\-\-authentication\-file=FILE] [\-P|\-\-machine\-pass] [\-\-simple\-bind\-dn=DN] [\-\-use\-kerberos=desired|required|off] [\-\-use\-krb5\-ccache=CCACHE] [\-\-use\-winbind\-ccache] [\-\-client\-protection=sign|encrypt|off] [\-V|\-\-version]
-.SH "DESCRIPTION"
-.PP
-This tool is part of the
-\fBsamba\fR(7)
-suite\&.
-.PP
-The
-smbcacls
-program manipulates NT Access Control Lists (ACLs) on SMB file shares\&. An ACL is comprised zero or more Access Control Entries (ACEs), which define access restrictions for a specific user or group\&.
-.SH "OPTIONS"
-.PP
-The following options are available to the
-smbcacls
-program\&. The format of ACLs is described in the section ACL FORMAT
-.PP
-\-a|\-\-add acl
-.RS 4
-Add the entries specified to the ACL\&. Existing access control entries are unchanged\&.
-.RE
-.PP
-\-M|\-\-modify acl
-.RS 4
-Modify the mask value (permissions) for the ACEs specified on the command line\&. An error will be printed for each ACE specified that was not already present in the object\*(Aqs ACL\&.
-.RE
-.PP
-\-D|\-\-delete acl
-.RS 4
-Delete any ACEs specified on the command line\&. An error will be printed for each ACE specified that was not already present in the object\*(Aqs ACL\&.
-.RE
-.PP
-\-S|\-\-set acl
-.RS 4
-This command sets the ACL on the object with only what is specified on the command line\&. Any existing ACL is erased\&. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed\&.
-.RE
-.PP
-\-C|\-\-chown name
-.RS 4
-The owner of a file or directory can be changed to the name given using the
-\fI\-C\fR
-option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified in the first argument\&.
-.sp
-This command is a shortcut for \-M OWNER:name\&.
-.RE
-.PP
-\-G|\-\-chgrp name
-.RS 4
-The group owner of a file or directory can be changed to the name given using the
-\fI\-G\fR
-option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified n the first argument\&.
-.sp
-This command is a shortcut for \-M GROUP:name\&.
-.RE
-.PP
-\-I|\-\-inherit allow|remove|copy
-.RS 4
-Set or unset the windows "Allow inheritable permissions" check box using the
-\fI\-I\fR
-option\&. To set the check box pass allow\&. To unset the check box pass either remove or copy\&. Remove will remove all inherited ACEs\&. Copy will copy all the inherited ACEs\&.
-.RE
-.PP
-\-\-propagate\-inheritance
-.RS 4
-Add, modify, delete or set ACEs on an entire directory tree according to the inheritance flags\&. Refer to the INHERITANCE section for details\&.
-.RE
-.PP
-\-\-numeric
-.RS 4
-This option displays all ACL information in numeric format\&. The default is to convert SIDs to names and ACE types and masks to a readable string format\&.
-.RE
-.PP
-\-m|\-\-max\-protocol PROTOCOL_NAME
-.RS 4
-This allows the user to select the highest SMB protocol level that smbcacls will use to connect to the server\&. By default this is set to NT1, which is the highest available SMB1 protocol\&. To connect using SMB2 or SMB3 protocol, use the strings SMB2 or SMB3 respectively\&. Note that to connect to a Windows 2012 server with encrypted transport selecting a max\-protocol of SMB3 is required\&.
-.RE
-.PP
-\-t|\-\-test\-args
-.RS 4
-Don\*(Aqt actually do anything, only validate the correctness of the arguments\&.
-.RE
-.PP
-\-\-query\-security\-info FLAGS
-.RS 4
-The security\-info flags for queries\&.
-.RE
-.PP
-\-\-set\-security\-info FLAGS
-.RS 4
-The security\-info flags for queries\&.
-.RE
-.PP
-\-\-sddl
-.RS 4
-Output and input acls in sddl format\&.
-.RE
-.PP
-\-\-domain\-sid SID
-.RS 4
-SID used for sddl processing\&.
-.RE
-.PP
-\-x|\-\-maximum\-access
-.RS 4
-When displaying an ACL additionally query the server for effective maximum permissions\&. Note that this is only supported with SMB protocol version 2 or higher\&.
-.RE
-.PP
-\-?|\-\-help
-.RS 4
-Print a summary of command line options\&.
-.RE
-.PP
-\-\-usage
-.RS 4
-Display brief usage message\&.
-.RE
-.PP
-\-d|\-\-debuglevel=DEBUGLEVEL
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 1 for client applications\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-\-debug\-stdout
-.RS 4
-This will redirect debug output to STDOUT\&. By default all clients are logging to STDERR\&.
-.RE
-.PP
-\-\-configfile=<configuration file>
-.RS 4
-The file specified contains the configuration details required by the client\&. The information in this file can be general for client and server or only provide client specific like options such as
-\m[blue]\fBclient smb encrypt\fR\m[]\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-\-option=<name>=<value>
-.RS 4
-Set the
-\fBsmb.conf\fR(5)
-option "<name>" to value "<value>" from the command line\&. This overrides compiled\-in defaults and options read from the configuration file\&. If a name or a value includes a space, wrap whole \-\-option=name=value into quotes\&.
-.RE
-.PP
-\-l|\-\-log\-basename=logdirectory
-.RS 4
-Base directory name for log/debug files\&. The extension
-\fB"\&.progname"\fR
-will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
-.RE
-.PP
-\-\-leak\-report
-.RS 4
-Enable talloc leak reporting on exit\&.
-.RE
-.PP
-\-\-leak\-report\-full
-.RS 4
-Enable full talloc leak reporting on exit\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-R|\-\-name\-resolve=NAME\-RESOLVE\-ORDER
-.RS 4
-This option is used to determine what naming services and in what order to resolve host names to IP addresses\&. The option takes a space\-separated string of different name resolution options\&. The best ist to wrap the whole \-\-name\-resolve=NAME\-RESOLVE\-ORDER into quotes\&.
-.sp
-The options are: "lmhosts", "host", "wins" and "bcast"\&. They cause names to be resolved as follows:
-.RS
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBlmhosts\fR: Lookup an IP address in the Samba lmhosts file\&. If the line in lmhosts has no name type attached to the NetBIOS name (see the
-\fBlmhosts\fR(5)
-for details) then any name type matches for lookup\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBhost\fR: Do a standard host name to IP address resolution, using the system
-/etc/hosts, NIS, or DNS lookups\&. This method of name resolution is operating system dependent, for instance on IRIX or Solaris this may be controlled by the
-/etc/nsswitch\&.conf
-file)\&. Note that this method is only used if the NetBIOS name type being queried is the 0x20 (server) name type, otherwise it is ignored\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBwins\fR: Query a name with the IP address listed in the
-\fIwins server\fR
-parameter\&. If no WINS server has been specified this method will be ignored\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBbcast\fR: Do a broadcast on each of the known local interfaces listed in the
-\fIinterfaces\fR
-parameter\&. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet\&.
-.RE
-.sp
-.RE
-If this parameter is not set then the name resolve order defined in the
-smb\&.conf
-file parameter (\m[blue]\fBname resolve order\fR\m[]) will be used\&.
-.sp
-The default order is lmhosts, host, wins, bcast\&. Without this parameter or any entry in the
-\m[blue]\fBname resolve order\fR\m[]
-parameter of the
-smb\&.conf
-file, the name resolution methods will be attempted in this order\&.
-.RE
-.PP
-\-O|\-\-socket\-options=SOCKETOPTIONS
-.RS 4
-TCP socket options to set on the client socket\&. See the socket options parameter in the
-smb\&.conf
-manual page for the list of valid options\&.
-.RE
-.PP
-\-m|\-\-max\-protocol=MAXPROTOCOL
-.RS 4
-The value of the parameter (a string) is the highest protocol level that will be supported by the client\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBclient max protocol\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-n|\-\-netbiosname=NETBIOSNAME
-.RS 4
-This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the
-\m[blue]\fBnetbios name\fR\m[]
-parameter in the
-smb\&.conf
-file\&. However, a command line setting will take precedence over settings in
-smb\&.conf\&.
-.RE
-.PP
-\-\-netbios\-scope=SCOPE
-.RS 4
-This specifies a NetBIOS scope that
-nmblookup
-will use to communicate with when generating NetBIOS names\&. For details on the use of NetBIOS scopes, see rfc1001\&.txt and rfc1002\&.txt\&. NetBIOS scopes are
-\fIvery\fR
-rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with\&.
-.RE
-.PP
-\-W|\-\-workgroup=WORKGROUP
-.RS 4
-Set the SMB domain of the username\&. This overrides the default domain which is the domain defined in smb\&.conf\&. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM)\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBworkgroup\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-r|\-\-realm=REALM
-.RS 4
-Set the realm for the domain\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBrealm\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-U|\-\-user=[DOMAIN\e]USERNAME[%PASSWORD]
-.RS 4
-Sets the SMB username or username and password\&.
-.sp
-If %PASSWORD is not specified, the user will be prompted\&. The client will first check the
-\fBUSER\fR
-environment variable (which is also permitted to also contain the password seperated by a %), then the
-\fBLOGNAME\fR
-variable (which is not permitted to contain a password) and if either exists, the value is used\&. If these environmental variables are not found, the username found in a Kerberos Credentials cache may be used\&.
-.sp
-A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
-\fI\-A\fR
-for more details\&.
-.sp
-Be cautious about including passwords in scripts or passing user\-supplied values onto the command line\&. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with
-kinit\&.
-.sp
-While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race\&.
-.RE
-.PP
-\-N|\-\-no\-pass
-.RS 4
-If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
-.sp
-Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
-.sp
-If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used\&.
-.RE
-.PP
-\-\-password
-.RS 4
-Specify the password on the commandline\&.
-.sp
-Be cautious about including passwords in scripts or passing user\-supplied values onto the command line\&. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with
-kinit\&.
-.sp
-If \-\-password is not specified, the tool will check the
-\fBPASSWD\fR
-environment variable, followed by
-\fBPASSWD_FD\fR
-which is expected to contain an open file descriptor (FD) number\&.
-.sp
-Finally it will check
-\fBPASSWD_FILE\fR
-(containing a file path to be opened)\&. The file should only contain the password\&. Make certain that the permissions on the file restrict access from unwanted users!
-.sp
-While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race\&.
-.RE
-.PP
-\-\-pw\-nt\-hash
-.RS 4
-The supplied password is the NT hash\&.
-.RE
-.PP
-\-A|\-\-authentication\-file=filename
-.RS 4
-This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-				username = <value>
-				password = <value>
-				domain   = <value>
-			
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Make certain that the permissions on the file restrict access from unwanted users!
-.RE
-.PP
-\-P|\-\-machine\-pass
-.RS 4
-Use stored machine account password\&.
-.RE
-.PP
-\-\-simple\-bind\-dn=DN
-.RS 4
-DN to use for a simple bind\&.
-.RE
-.PP
-\-\-use\-kerberos=desired|required|off
-.RS 4
-This parameter determines whether Samba client tools will try to authenticate using Kerberos\&. For Kerberos authentication you need to use dns names instead of IP addresses when connnecting to a service\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBclient use kerberos\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-\-use\-krb5\-ccache=CCACHE
-.RS 4
-Specifies the credential cache location for Kerberos authentication\&.
-.sp
-This will set \-\-use\-kerberos=required too\&.
-.RE
-.PP
-\-\-use\-winbind\-ccache
-.RS 4
-Try to use the credential cache by winbind\&.
-.RE
-.PP
-\-\-client\-protection=sign|encrypt|off
-.RS 4
-Sets the connection protection the client tool should use\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBclient protection\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.sp
-In case you need more fine grained control you can use:
-\-\-option=clientsmbencrypt=OPTION,
-\-\-option=clientipcsigning=OPTION,
-\-\-option=clientsigning=OPTION\&.
-.RE
-.SH "ACL FORMAT"
-.PP
-The format of an ACL is one or more entries separated by either commas or newlines\&. An ACL entry is one of the following:
-.PP
-.if n \{\
-.RS 4
-.\}
-.nf
- 
-REVISION:<revision number>
-OWNER:<sid or name>
-GROUP:<sid or name>
-ACL:<sid or name>:<type>/<flags>/<mask>
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-Control bits related to automatic inheritance
-.RS
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIOD\fR
-\- "Owner Defaulted" \- Indicates that the SID of the owner of the security descriptor was provided by a default mechanism\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIGD\fR
-\- "Group Defaulted" \- Indicates that the SID of the security descriptor group was provided by a default mechanism\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIDP\fR
-\- "DACL Present" \- Indicates a security descriptor that has a discretionary access control list (DACL)\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIDD\fR
-\- "DACL Defaulted" \- Indicates a security descriptor with a default DACL\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fISP\fR
-\- "SACL Present" \- Indicates a security descriptor that has a system access control list (SACL)\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fISD\fR
-\- "SACL Defaulted" \- A default mechanism, rather than the original provider of the security descriptor, provided the SACL\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIDT\fR
-\- "DACL Trusted"
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fISS\fR
-\- "Server Security"
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIDR\fR
-\- "DACL Inheritance Required" \- Indicates a required security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fISR\fR
-\- "SACL Inheritance Required" \- Indicates a required security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIDI\fR
-\- "DACL Auto Inherited" \- Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fISI\fR
-\- "SACL Auto Inherited" \- Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIPD\fR
-\- "DACL Protected" \- Prevents the DACL of the security descriptor from being modified by inheritable ACEs\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIPS\fR
-\- "SACL Protected" \- Prevents the SACL of the security descriptor from being modified by inheritable ACEs\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIRM\fR
-\- "RM Control Valid" \- Indicates that the resource manager control is valid\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fISR\fR
-\- "Self Relative" \- Indicates a self\-relative security descriptor\&.
-.RE
-.sp
-.RE
-.PP
-The revision of the ACL specifies the internal Windows NT ACL revision for the security descriptor\&. If not specified it defaults to 1\&. Using values other than 1 may cause strange behaviour\&.
-.PP
-The owner and group specify the owner and group sids for the object\&. If a SID in the format S\-1\-x\-y\-z is specified this is used, otherwise the name specified is resolved using the server on which the file or directory resides\&.
-.PP
-ACEs are specified with an "ACL:" prefix, and define permissions granted to an SID\&. The SID again can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&.
-.PP
-The type can be either ALLOWED or DENIED to allow/deny access to the SID\&.
-.PP
-The flags field defines how the ACE should be considered when performing inheritance\&.
-smbcacls
-uses these flags when run with
-\fI\-\-propagate\-inheritance\fR\&.
-.PP
-Flags can be specified as decimal or hexadecimal values, or with the respective (XX) aliases, separated by a vertical bar "|"\&.
-.RS
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fI(OI)\fR
-Object Inherit 0x1
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fI(CI)\fR
-Container Inherit 0x2
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fI(NP)\fR
-No Propagate Inherit 0x4
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fI(IO)\fR
-Inherit Only 0x8
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fI(I)\fR
-ACE was inherited 0x10
-.RE
-.sp
-.RE
-.PP
-The mask is a value which expresses the access right granted to the SID\&. It can be given as a decimal or hexadecimal value, or by using one of the following text strings which map to the NT file permissions of the same name\&.
-.RS
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIR\fR
-\- Allow read access
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIW\fR
-\- Allow write access
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIX\fR
-\- Execute permission on the object
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fID\fR
-\- Delete the object
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIP\fR
-\- Change permissions
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIO\fR
-\- Take ownership
-.RE
-.sp
-.RE
-.PP
-The following combined permissions can be specified:
-.RS
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIREAD\fR
-\- Equivalent to \*(AqRX\*(Aq permissions
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fICHANGE\fR
-\- Equivalent to \*(AqRXWD\*(Aq permissions
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fIFULL\fR
-\- Equivalent to \*(AqRWXDPO\*(Aq permissions
-.RE
-.SH "INHERITANCE"
-.PP
-Per\-ACE inheritance flags can be set in the ACE flags field\&. By default, inheritable ACEs e\&.g\&. those marked for object inheritance (OI) or container inheritance (CI), are not propagated to sub\-files or folders\&. However, with the
-\fI\-\-propagate\-inheritance\fR
-argument specified, such ACEs are automatically propagated according to some inheritance rules\&.
-.RS
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Inheritable (OI)(OI) ACE flags can only be applied to folders\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Any inheritable ACEs applied to sub\-files or folders are marked with the inherited (I) flag\&. Inheritable ACE(s) are applied to folders unless the no propagation (NP) flag is set\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-When an ACE with the (OI) flag alone set is progagated to a child folder the inheritance only flag (IO) is also applied\&. This indicates the permissions associated with the ACE don\*(Aqt apply to the folder itself (only to it\*(Aqs child files)\&. When applying the ACE to a child file the ACE is inherited as normal\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-When an ace with the (CI) flag alone set is propagated to a child file there is no effect, when propagated to a child folder it is inherited as normal\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-When an ACE that has both (OI) & (CI) flags set the ACE is inherited as normal by both folders and files\&.
-.RE
-.sp
-.RE
-.PP
-(OI)(READ) added to parent folder
-.PP
-.if n \{\
-.RS 4
-.\}
-.nf
-+\-parent/        (OI)(READ)
-| +\-file\&.1       (I)(READ)
-| +\-nested/      (OI)(IO)(I)(READ)
-  |   +\-file\&.2   (I)(READ)
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-(CI)(READ) added to parent folder
-.PP
-.if n \{\
-.RS 4
-.\}
-.nf
-+\-parent/        (CI)(READ)
-| +\-file\&.1
-| +\-nested/      (CI)(I)(READ)
-  |   +\-file\&.2
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-(OI)(CI)(READ) added to parent folder
-.PP
-.if n \{\
-.RS 4
-.\}
-.nf
-+\-parent/        (OI)(CI)(READ)
-| +\-file\&.1       (I)(READ)
-| +\-nested/      (OI)(CI)(I)(READ)
-  |   +\-file\&.2   (I)(READ)
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-(OI)(NP)(READ) added to parent folder
-.PP
-.if n \{\
-.RS 4
-.\}
-.nf
-+\-oi_dir/        (OI)(NP)(READ)
-| +\-file\&.1       (I)(READ)
-| +\-nested/
-|   +\-file\&.2
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-(CI)(NP)(READ) added to parent folder
-.PP
-.if n \{\
-.RS 4
-.\}
-.nf
-+\-oi_dir/        (CI)(NP)(READ)
-| +\-file\&.1
-| +\-nested/      (I)(READ)
-|   +\-file\&.2
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-(OI)(CI)(NP)(READ) added to parent folder
-.PP
-.if n \{\
-.RS 4
-.\}
-.nf
-+\-parent/        (CI)(OI)(NP)(READ)
-| +\-file\&.1       (I)(READ)
-| +\-nested/      (I)(READ)
-|   +\-file\&.2
-.fi
-.if n \{\
-.RE
-.\}
-.PP
-Files and folders with protected ACLs do not allow inheritable permissions (set with
-\fI\-I\fR)\&. Such objects will not receive ACEs flagged for inheritance with (CI) or (OI)\&.
-.SH "EXIT STATUS"
-.PP
-The
-smbcacls
-program sets the exit status depending on the success or otherwise of the operations performed\&. The exit status may be one of the following values\&.
-.PP
-If the operation succeeded, smbcacls returns and exit status of 0\&. If
-smbcacls
-couldn\*(Aqt connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
-.SH "VERSION"
-.PP
-This man page is part of version 4\&.16\&.4 of the Samba suite\&.
-.SH "AUTHOR"
-.PP
-The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
-.PP
-smbcacls
-was written by Andrew Tridgell and Tim Potter\&.
-.PP
-The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.