[SAMBA] smbcacls syntax eludes me (perhaps)

James G. Sack jgsack at san.rr.com
Mon Aug 23 06:19:36 GMT 2004 

Answering my own call for help (since "the enemy was me")..

> From: James G. Sack <jgsack at san.rr.com>
> ..Date: 20 Aug 2004 01:30:46 -0700
>..
> I can't seem to grasp the right syntax for smbcacls

> I try to give tstuser read-perms
>   smbcacls //x126/b1 hi -Ujgs%jgs -M 'ACL:"X126"\tstuser:1/0/R'
> and I get
>   Failed to parse ACL ACL:X126\tstuser
> 
> Any syntax variation I try (incl, ie: ALLOWED in place of the 1)
> produces the same error. 
> -d3 adds
>   lsa_io_sec_qos: length c does not match size 8

I got my answer 
  by:
    1. looking at the source in smbcacls.c (ain't Open Source great!)
    2. slowing down, and proceding more methodically
    3. paying closer attention to instructions AND error messages

- The quotes around my hostname X126 were a result of extraneous quotes
in smb.conf netbios name=. Eliminating the quotes gave me more normal
behavior to smbclient -L and nmblookup.

- I believe I may have been typing lowercase "allowed" instead of
"ALLOWED, and perhaps even / instead of \ (sometimes), so slowing down
got me to the realization that ..:'X126\tstuser':ALLOWED.. or
..X126\\tstuser:ALLOWED.. or simply ..:tstuser:ALLOWED.. all work
equally well, and eliminate the "Failed to parse" message. 
  I may sometimes have also been typing "RW" (and invalidating my ACL
string).

- At times I was using -M when I should have been using -a, and not
noticing that the message changed to 
  "ACL for SID X126\tstuser not found"
and I also think I was *assuming* that ALLOWED/DENIED must be the same
as 1/0 <heh>.


==> So for others who may benefit from explicit examples: 

on an object "hi" that has no ACLs for user tstuser
  ("hi" owned by jgs, in a share and directory writable by jgs),

 smbcacls -Ujgs%jgs -a ACL:tstuser:ALLOWED/0/R //localhost/b1 hi

works fine (although I still don't understand why the resulting perms
seem different from what I asked for, unless I use numeric vals --
eg,0x00120089).

..and.. 

 smbcacls -Ujgs%jgs -M ACL:tstuser:ALLOWED/0/R //localhost/b1 hi

works fine after user tstuser shows some (any) acl properties.

Also: the -D refuses to delete an ACL unless you specify exactly the
correct existing value, so, it may be useful to give a sequence like:
  -M .../FULL
followed by a 
  -D .../FULL

Regards,
..jim

More information about the samba mailing list