[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

Steve French smfrench at gmail.com
Thu Feb 28 19:48:20 UTC 2019

 ACL management can be done for SMB2/SMB3 ACLs with two common tools
depending on your preference.

smbcacls   (somewhat similar to using cacls.exe or icacls.exe in
Windows but specifying the UNC name rather than a local path name).
smbcacls sets up and tears down a network connection each time it is
run and uses Samba user space code.

or setcifsacl/getcifsacl (which calls cifs.ko to access the ACL from
the SMB3 mount)

I have run into a few problems in the past with smbcacls with Kerberos
(I need to post more details on that on samba-technical or dive in and
fix it), and am fixing a problem currently with running setcifsacl
(get works fine) to Azure, but setcifsacl has worked fine in my
experience to a variety of servers (Windows, Samba etc.)

If you are getting rc=-95 from getcifsacl or setcifsacl the most
likely reason is that the local path you specified is not on an
cifs.ko (e.g. SMB3) mount.   It is also possible that ACL support was
disabled when building cifs.ko (you can do "cat
/proc/fs/cifs/DebugData | grep Features" to list the build options
that were used to build cifs.ko such as whether ACL support was

On Tue, Feb 26, 2019 at 03:05:12PM +0000, Kraus, Sebastian via samba wrote:
> Dear all,
> what is about the support for POSIX ACL in Samba protocol implementation of SMB2 and SMB3?
> From what I extracted from SNIA and SambaXP developer conference talks and as well as the official Samba Wiki,
> support for POSIX ACL in SMB2 and SMB3 has been completely abandonned. Am I right?
> If so, is there any other possibility to allow Linux Clients to natively access access control lists
> (via NT Security Descriptor, NFSv4 ACL, CIFS ACL) under SMB2/SMB3 on commandline and/or from GUI applications?



More information about the samba mailing list