[Samba] Fetching ACL data from extended attributes

Steve Tice stic6021 at yahoo.com
Tue Mar 8 23:53:41 UTC 2016

Thanks for providing the rpcclient command - that's news to me. It turns out the SD at the share level looks as expected. That's a good start. However, some of the output from smbcacls includes surprises. For example, the value of the record labeled "CONTROL" is not necessarily as expected - but I'm guessing at the meaning of the acronyms in use (SR, PD, SI, DI, DP). Does anyone know of documentation describing the output from smbcacls? If it can be interpreted by studying some Microsoft documents, references to them would be helpful.
I've also looked closely at the output from "getfattr -n security.NTACL <some-directory>". In some cases, two directories on different Samba servers can have identical getfattr output and different smbcacls output. That probably means the output from sbmcacls depends on more than just the value stored in security.NTACL. I'm working to identify missing puzzle pieces, such as the role played by inheritance, and understand how "security.NTACL" and that ACL's content as displayed by smbcacls are related (and how they are unrelated). All insight is welcomed.

      From: pisymbol . <pisymbol at gmail.com>

Steve, `smbcacls` dumps ACLs on a per file/directory basis and
`rpcclient -c 'netshareenum 502' <server>` dumps security descriptors
of a share.

I've always felt that returning the RAW SD should be an option for the
standard samba tools (for applications that need it).



More information about the samba mailing list