1 files changed, 1044 insertions, 0 deletions
diff --git a/net/samba420/files/man/smbcacls.1 b/net/samba420/files/man/smbcacls.1
new file mode 100644
index 000000000000..b3cf79acd71b
--- /dev/null
+++ b/net/samba420/files/man/smbcacls.1
@@ -0,0 +1,1044 @@
+'\" t
+.\"     Title: smbcacls
+.\"    Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\"      Date: 08/09/2022
+.\"    Manual: User Commands
+.\"    Source: Samba 4.16.4
+.\"  Language: English
+.\"
+.TH "SMBCACLS" "1" "08/09/2022" "Samba 4\&.16\&.4" "User Commands"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+smbcacls \- Set or get ACLs on an NT file or directory names
+.SH "SYNOPSIS"
+.HP \w'\ 'u
+smbcacls {//server/share} {/filename} [\-D|\-\-delete=ACL] [\-M|\-\-modify=ACL] [\-a|\-\-add=ACL] [\-S|\-\-set=ACLS] [\-C|\-\-chown=USERNAME] [\-G|\-\-chgrp=GROUPNAME] [\-I|\-\-inherit=STRING] [\-\-propagate\-inheritance] [\-\-numeric] [\-\-sddl] [\-\-query\-security\-info=INT] [\-\-set\-security\-info=INT] [\-t|\-\-test\-args] [\-\-domain\-sid=SID] [\-x|\-\-maximum\-access] [\-?|\-\-help] [\-\-usage] [\-d|\-\-debuglevel=DEBUGLEVEL] [\-\-debug\-stdout] [\-\-configfile=CONFIGFILE] [\-\-option=name=value] [\-l|\-\-log\-basename=LOGFILEBASE] [\-\-leak\-report] [\-\-leak\-report\-full] [\-R|\-\-name\-resolve=NAME\-RESOLVE\-ORDER] [\-O|\-\-socket\-options=SOCKETOPTIONS] [\-m|\-\-max\-protocol=MAXPROTOCOL] [\-n|\-\-netbiosname=NETBIOSNAME] [\-\-netbios\-scope=SCOPE] [\-W|\-\-workgroup=WORKGROUP] [\-\-realm=REALM] [\-U|\-\-user=[DOMAIN/]USERNAME[%PASSWORD]] [\-N|\-\-no\-pass] [\-\-password=STRING] [\-\-pw\-nt\-hash] [\-A|\-\-authentication\-file=FILE] [\-P|\-\-machine\-pass] [\-\-simple\-bind\-dn=DN] [\-\-use\-kerberos=desired|required|off] [\-\-use\-krb5\-ccache=CCACHE] [\-\-use\-winbind\-ccache] [\-\-client\-protection=sign|encrypt|off] [\-V|\-\-version]
+.SH "DESCRIPTION"
+.PP
+This tool is part of the
+\fBsamba\fR(7)
+suite\&.
+.PP
+The
+smbcacls
+program manipulates NT Access Control Lists (ACLs) on SMB file shares\&. An ACL is comprised zero or more Access Control Entries (ACEs), which define access restrictions for a specific user or group\&.
+.SH "OPTIONS"
+.PP
+The following options are available to the
+smbcacls
+program\&. The format of ACLs is described in the section ACL FORMAT
+.PP
+\-a|\-\-add acl
+.RS 4
+Add the entries specified to the ACL\&. Existing access control entries are unchanged\&.
+.RE
+.PP
+\-M|\-\-modify acl
+.RS 4
+Modify the mask value (permissions) for the ACEs specified on the command line\&. An error will be printed for each ACE specified that was not already present in the object\*(Aqs ACL\&.
+.RE
+.PP
+\-D|\-\-delete acl
+.RS 4
+Delete any ACEs specified on the command line\&. An error will be printed for each ACE specified that was not already present in the object\*(Aqs ACL\&.
+.RE
+.PP
+\-S|\-\-set acl
+.RS 4
+This command sets the ACL on the object with only what is specified on the command line\&. Any existing ACL is erased\&. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed\&.
+.RE
+.PP
+\-C|\-\-chown name
+.RS 4
+The owner of a file or directory can be changed to the name given using the
+\fI\-C\fR
+option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified in the first argument\&.
+.sp
+This command is a shortcut for \-M OWNER:name\&.
+.RE
+.PP
+\-G|\-\-chgrp name
+.RS 4
+The group owner of a file or directory can be changed to the name given using the
+\fI\-G\fR
+option\&. The name can be a sid in the form S\-1\-x\-y\-z or a name resolved against the server specified n the first argument\&.
+.sp
+This command is a shortcut for \-M GROUP:name\&.
+.RE
+.PP
+\-I|\-\-inherit allow|remove|copy
+.RS 4
+Set or unset the windows "Allow inheritable permissions" check box using the
+\fI\-I\fR
+option\&. To set the check box pass allow\&. To unset the check box pass either remove or copy\&. Remove will remove all inherited ACEs\&. Copy will copy all the inherited ACEs\&.
+.RE
+.PP
+\-\-propagate\-inheritance
+.RS 4
+Add, modify, delete or set ACEs on an entire directory tree according to the inheritance flags\&. Refer to the INHERITANCE section for details\&.
+.RE
+.PP
+\-\-numeric
+.RS 4
+This option displays all ACL information in numeric format\&. The default is to convert SIDs to names and ACE types and masks to a readable string format\&.
+.RE
+.PP
+\-m|\-\-max\-protocol PROTOCOL_NAME
+.RS 4
+This allows the user to select the highest SMB protocol level that smbcacls will use to connect to the server\&. By default this is set to NT1, which is the highest available SMB1 protocol\&. To connect using SMB2 or SMB3 protocol, use the strings SMB2 or SMB3 respectively\&. Note that to connect to a Windows 2012 server with encrypted transport selecting a max\-protocol of SMB3 is required\&.
+.RE
+.PP
+\-t|\-\-test\-args
+.RS 4
+Don\*(Aqt actually do anything, only validate the correctness of the arguments\&.
+.RE
+.PP
+\-\-query\-security\-info FLAGS
+.RS 4
+The security\-info flags for queries\&.
+.RE
+.PP
+\-\-set\-security\-info FLAGS
+.RS 4
+The security\-info flags for queries\&.
+.RE
+.PP
+\-\-sddl
+.RS 4
+Output and input acls in sddl format\&.
+.RE
+.PP
+\-\-domain\-sid SID
+.RS 4
+SID used for sddl processing\&.
+.RE
+.PP
+\-x|\-\-maximum\-access
+.RS 4
+When displaying an ACL additionally query the server for effective maximum permissions\&. Note that this is only supported with SMB protocol version 2 or higher\&.
+.RE
+.PP
+\-?|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-\-usage
+.RS 4
+Display brief usage message\&.
+.RE
+.PP
+\-d|\-\-debuglevel=DEBUGLEVEL
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 1 for client applications\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-\-debug\-stdout
+.RS 4
+This will redirect debug output to STDOUT\&. By default all clients are logging to STDERR\&.
+.RE
+.PP
+\-\-configfile=<configuration file>
+.RS 4
+The file specified contains the configuration details required by the client\&. The information in this file can be general for client and server or only provide client specific like options such as
+\m[blue]\fBclient smb encrypt\fR\m[]\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-\-option=<name>=<value>
+.RS 4
+Set the
+\fBsmb.conf\fR(5)
+option "<name>" to value "<value>" from the command line\&. This overrides compiled\-in defaults and options read from the configuration file\&. If a name or a value includes a space, wrap whole \-\-option=name=value into quotes\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-\-leak\-report
+.RS 4
+Enable talloc leak reporting on exit\&.
+.RE
+.PP
+\-\-leak\-report\-full
+.RS 4
+Enable full talloc leak reporting on exit\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-R|\-\-name\-resolve=NAME\-RESOLVE\-ORDER
+.RS 4
+This option is used to determine what naming services and in what order to resolve host names to IP addresses\&. The option takes a space\-separated string of different name resolution options\&. The best ist to wrap the whole \-\-name\-resolve=NAME\-RESOLVE\-ORDER into quotes\&.
+.sp
+The options are: "lmhosts", "host", "wins" and "bcast"\&. They cause names to be resolved as follows:
+.RS
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBlmhosts\fR: Lookup an IP address in the Samba lmhosts file\&. If the line in lmhosts has no name type attached to the NetBIOS name (see the
+\fBlmhosts\fR(5)
+for details) then any name type matches for lookup\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBhost\fR: Do a standard host name to IP address resolution, using the system
+/etc/hosts, NIS, or DNS lookups\&. This method of name resolution is operating system dependent, for instance on IRIX or Solaris this may be controlled by the
+/etc/nsswitch\&.conf
+file)\&. Note that this method is only used if the NetBIOS name type being queried is the 0x20 (server) name type, otherwise it is ignored\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBwins\fR: Query a name with the IP address listed in the
+\fIwins server\fR
+parameter\&. If no WINS server has been specified this method will be ignored\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBbcast\fR: Do a broadcast on each of the known local interfaces listed in the
+\fIinterfaces\fR
+parameter\&. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet\&.
+.RE
+.sp
+.RE
+If this parameter is not set then the name resolve order defined in the
+smb\&.conf
+file parameter (\m[blue]\fBname resolve order\fR\m[]) will be used\&.
+.sp
+The default order is lmhosts, host, wins, bcast\&. Without this parameter or any entry in the
+\m[blue]\fBname resolve order\fR\m[]
+parameter of the
+smb\&.conf
+file, the name resolution methods will be attempted in this order\&.
+.RE
+.PP
+\-O|\-\-socket\-options=SOCKETOPTIONS
+.RS 4
+TCP socket options to set on the client socket\&. See the socket options parameter in the
+smb\&.conf
+manual page for the list of valid options\&.
+.RE
+.PP
+\-m|\-\-max\-protocol=MAXPROTOCOL
+.RS 4
+The value of the parameter (a string) is the highest protocol level that will be supported by the client\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBclient max protocol\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-n|\-\-netbiosname=NETBIOSNAME
+.RS 4
+This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the
+\m[blue]\fBnetbios name\fR\m[]
+parameter in the
+smb\&.conf
+file\&. However, a command line setting will take precedence over settings in
+smb\&.conf\&.
+.RE
+.PP
+\-\-netbios\-scope=SCOPE
+.RS 4
+This specifies a NetBIOS scope that
+nmblookup
+will use to communicate with when generating NetBIOS names\&. For details on the use of NetBIOS scopes, see rfc1001\&.txt and rfc1002\&.txt\&. NetBIOS scopes are
+\fIvery\fR
+rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with\&.
+.RE
+.PP
+\-W|\-\-workgroup=WORKGROUP
+.RS 4
+Set the SMB domain of the username\&. This overrides the default domain which is the domain defined in smb\&.conf\&. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM)\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBworkgroup\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-r|\-\-realm=REALM
+.RS 4
+Set the realm for the domain\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBrealm\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-U|\-\-user=[DOMAIN\e]USERNAME[%PASSWORD]
+.RS 4
+Sets the SMB username or username and password\&.
+.sp
+If %PASSWORD is not specified, the user will be prompted\&. The client will first check the
+\fBUSER\fR
+environment variable (which is also permitted to also contain the password seperated by a %), then the
+\fBLOGNAME\fR
+variable (which is not permitted to contain a password) and if either exists, the value is used\&. If these environmental variables are not found, the username found in a Kerberos Credentials cache may be used\&.
+.sp
+A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
+\fI\-A\fR
+for more details\&.
+.sp
+Be cautious about including passwords in scripts or passing user\-supplied values onto the command line\&. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with
+kinit\&.
+.sp
+While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race\&.
+.RE
+.PP
+\-N|\-\-no\-pass
+.RS 4
+If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
+.sp
+Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
+.sp
+If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used\&.
+.RE
+.PP
+\-\-password
+.RS 4
+Specify the password on the commandline\&.
+.sp
+Be cautious about including passwords in scripts or passing user\-supplied values onto the command line\&. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with
+kinit\&.
+.sp
+If \-\-password is not specified, the tool will check the
+\fBPASSWD\fR
+environment variable, followed by
+\fBPASSWD_FD\fR
+which is expected to contain an open file descriptor (FD) number\&.
+.sp
+Finally it will check
+\fBPASSWD_FILE\fR
+(containing a file path to be opened)\&. The file should only contain the password\&. Make certain that the permissions on the file restrict access from unwanted users!
+.sp
+While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race\&.
+.RE
+.PP
+\-\-pw\-nt\-hash
+.RS 4
+The supplied password is the NT hash\&.
+.RE
+.PP
+\-A|\-\-authentication\-file=filename
+.RS 4
+This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+				username = <value>
+				password = <value>
+				domain   = <value>
+			
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Make certain that the permissions on the file restrict access from unwanted users!
+.RE
+.PP
+\-P|\-\-machine\-pass
+.RS 4
+Use stored machine account password\&.
+.RE
+.PP
+\-\-simple\-bind\-dn=DN
+.RS 4
+DN to use for a simple bind\&.
+.RE
+.PP
+\-\-use\-kerberos=desired|required|off
+.RS 4
+This parameter determines whether Samba client tools will try to authenticate using Kerberos\&. For Kerberos authentication you need to use dns names instead of IP addresses when connnecting to a service\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBclient use kerberos\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-\-use\-krb5\-ccache=CCACHE
+.RS 4
+Specifies the credential cache location for Kerberos authentication\&.
+.sp
+This will set \-\-use\-kerberos=required too\&.
+.RE
+.PP
+\-\-use\-winbind\-ccache
+.RS 4
+Try to use the credential cache by winbind\&.
+.RE
+.PP
+\-\-client\-protection=sign|encrypt|off
+.RS 4
+Sets the connection protection the client tool should use\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBclient protection\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.sp
+In case you need more fine grained control you can use:
+\-\-option=clientsmbencrypt=OPTION,
+\-\-option=clientipcsigning=OPTION,
+\-\-option=clientsigning=OPTION\&.
+.RE
+.SH "ACL FORMAT"
+.PP
+The format of an ACL is one or more entries separated by either commas or newlines\&. An ACL entry is one of the following:
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+ 
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Control bits related to automatic inheritance
+.RS
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIOD\fR
+\- "Owner Defaulted" \- Indicates that the SID of the owner of the security descriptor was provided by a default mechanism\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIGD\fR
+\- "Group Defaulted" \- Indicates that the SID of the security descriptor group was provided by a default mechanism\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIDP\fR
+\- "DACL Present" \- Indicates a security descriptor that has a discretionary access control list (DACL)\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIDD\fR
+\- "DACL Defaulted" \- Indicates a security descriptor with a default DACL\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fISP\fR
+\- "SACL Present" \- Indicates a security descriptor that has a system access control list (SACL)\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fISD\fR
+\- "SACL Defaulted" \- A default mechanism, rather than the original provider of the security descriptor, provided the SACL\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIDT\fR
+\- "DACL Trusted"
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fISS\fR
+\- "Server Security"
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIDR\fR
+\- "DACL Inheritance Required" \- Indicates a required security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fISR\fR
+\- "SACL Inheritance Required" \- Indicates a required security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIDI\fR
+\- "DACL Auto Inherited" \- Indicates a security descriptor in which the DACL is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fISI\fR
+\- "SACL Auto Inherited" \- Indicates a security descriptor in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIPD\fR
+\- "DACL Protected" \- Prevents the DACL of the security descriptor from being modified by inheritable ACEs\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIPS\fR
+\- "SACL Protected" \- Prevents the SACL of the security descriptor from being modified by inheritable ACEs\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIRM\fR
+\- "RM Control Valid" \- Indicates that the resource manager control is valid\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fISR\fR
+\- "Self Relative" \- Indicates a self\-relative security descriptor\&.
+.RE
+.sp
+.RE
+.PP
+The revision of the ACL specifies the internal Windows NT ACL revision for the security descriptor\&. If not specified it defaults to 1\&. Using values other than 1 may cause strange behaviour\&.
+.PP
+The owner and group specify the owner and group sids for the object\&. If a SID in the format S\-1\-x\-y\-z is specified this is used, otherwise the name specified is resolved using the server on which the file or directory resides\&.
+.PP
+ACEs are specified with an "ACL:" prefix, and define permissions granted to an SID\&. The SID again can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&.
+.PP
+The type can be either ALLOWED or DENIED to allow/deny access to the SID\&.
+.PP
+The flags field defines how the ACE should be considered when performing inheritance\&.
+smbcacls
+uses these flags when run with
+\fI\-\-propagate\-inheritance\fR\&.
+.PP
+Flags can be specified as decimal or hexadecimal values, or with the respective (XX) aliases, separated by a vertical bar "|"\&.
+.RS
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fI(OI)\fR
+Object Inherit 0x1
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fI(CI)\fR
+Container Inherit 0x2
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fI(NP)\fR
+No Propagate Inherit 0x4
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fI(IO)\fR
+Inherit Only 0x8
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fI(I)\fR
+ACE was inherited 0x10
+.RE
+.sp
+.RE
+.PP
+The mask is a value which expresses the access right granted to the SID\&. It can be given as a decimal or hexadecimal value, or by using one of the following text strings which map to the NT file permissions of the same name\&.
+.RS
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIR\fR
+\- Allow read access
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIW\fR
+\- Allow write access
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIX\fR
+\- Execute permission on the object
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fID\fR
+\- Delete the object
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIP\fR
+\- Change permissions
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIO\fR
+\- Take ownership
+.RE
+.sp
+.RE
+.PP
+The following combined permissions can be specified:
+.RS
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIREAD\fR
+\- Equivalent to \*(AqRX\*(Aq permissions
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fICHANGE\fR
+\- Equivalent to \*(AqRXWD\*(Aq permissions
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIFULL\fR
+\- Equivalent to \*(AqRWXDPO\*(Aq permissions
+.RE
+.SH "INHERITANCE"
+.PP
+Per\-ACE inheritance flags can be set in the ACE flags field\&. By default, inheritable ACEs e\&.g\&. those marked for object inheritance (OI) or container inheritance (CI), are not propagated to sub\-files or folders\&. However, with the
+\fI\-\-propagate\-inheritance\fR
+argument specified, such ACEs are automatically propagated according to some inheritance rules\&.
+.RS
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Inheritable (OI)(OI) ACE flags can only be applied to folders\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Any inheritable ACEs applied to sub\-files or folders are marked with the inherited (I) flag\&. Inheritable ACE(s) are applied to folders unless the no propagation (NP) flag is set\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+When an ACE with the (OI) flag alone set is progagated to a child folder the inheritance only flag (IO) is also applied\&. This indicates the permissions associated with the ACE don\*(Aqt apply to the folder itself (only to it\*(Aqs child files)\&. When applying the ACE to a child file the ACE is inherited as normal\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+When an ace with the (CI) flag alone set is propagated to a child file there is no effect, when propagated to a child folder it is inherited as normal\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+When an ACE that has both (OI) & (CI) flags set the ACE is inherited as normal by both folders and files\&.
+.RE
+.sp
+.RE
+.PP
+(OI)(READ) added to parent folder
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
++\-parent/        (OI)(READ)
+| +\-file\&.1       (I)(READ)
+| +\-nested/      (OI)(IO)(I)(READ)
+  |   +\-file\&.2   (I)(READ)
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+(CI)(READ) added to parent folder
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
++\-parent/        (CI)(READ)
+| +\-file\&.1
+| +\-nested/      (CI)(I)(READ)
+  |   +\-file\&.2
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+(OI)(CI)(READ) added to parent folder
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
++\-parent/        (OI)(CI)(READ)
+| +\-file\&.1       (I)(READ)
+| +\-nested/      (OI)(CI)(I)(READ)
+  |   +\-file\&.2   (I)(READ)
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+(OI)(NP)(READ) added to parent folder
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
++\-oi_dir/        (OI)(NP)(READ)
+| +\-file\&.1       (I)(READ)
+| +\-nested/
+|   +\-file\&.2
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+(CI)(NP)(READ) added to parent folder
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
++\-oi_dir/        (CI)(NP)(READ)
+| +\-file\&.1
+| +\-nested/      (I)(READ)
+|   +\-file\&.2
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+(OI)(CI)(NP)(READ) added to parent folder
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
++\-parent/        (CI)(OI)(NP)(READ)
+| +\-file\&.1       (I)(READ)
+| +\-nested/      (I)(READ)
+|   +\-file\&.2
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Files and folders with protected ACLs do not allow inheritable permissions (set with
+\fI\-I\fR)\&. Such objects will not receive ACEs flagged for inheritance with (CI) or (OI)\&.
+.SH "EXIT STATUS"
+.PP
+The
+smbcacls
+program sets the exit status depending on the success or otherwise of the operations performed\&. The exit status may be one of the following values\&.
+.PP
+If the operation succeeded, smbcacls returns and exit status of 0\&. If
+smbcacls
+couldn\*(Aqt connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
+.SH "VERSION"
+.PP
+This man page is part of version 4\&.16\&.4 of the Samba suite\&.
+.SH "AUTHOR"
+.PP
+The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
+.PP
+smbcacls
+was written by Andrew Tridgell and Tim Potter\&.
+.PP
+The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.