[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

ronnie sahlberg ronniesahlberg at gmail.com
Thu Feb 28 22:05:52 UTC 2019

In current kernels we have the new IOCTL / QueryInfo passthrough where
 you can use a simple ioctl() on an object in a SMB2/3 share and pull
the full security descriptor.
It would be fairly trivial to expand this to allow setting the
security descriptor too using SetInfo. We can add that when there is a

Now, since this is available through a simple ioctl() interface, you
can access this from almost any language that has support for calling
the ioctl() syscall.

What I think would be really awesome is if we had a python tool that
mimics the same UI as you have in explorer when you go to
That would be really really nice.
Anyone that wants to take a stab at implementing this, reach out to me
and I can assist/advice.

Once we have a tool like this with a nice operational UI. We can start
petition Nautilus and other FileManager folks to integrate it.
That would be super awesome.

ronnie sahlberg

On Fri, Mar 1, 2019 at 5:49 AM Steve French via samba-technical
<samba-technical at lists.samba.org> wrote:
>  ACL management can be done for SMB2/SMB3 ACLs with two common tools
> depending on your preference.
> smbcacls   (somewhat similar to using cacls.exe or icacls.exe in
> Windows but specifying the UNC name rather than a local path name).
> smbcacls sets up and tears down a network connection each time it is
> run and uses Samba user space code.
> or setcifsacl/getcifsacl (which calls cifs.ko to access the ACL from
> the SMB3 mount)
> I have run into a few problems in the past with smbcacls with Kerberos
> (I need to post more details on that on samba-technical or dive in and
> fix it), and am fixing a problem currently with running setcifsacl
> (get works fine) to Azure, but setcifsacl has worked fine in my
> experience to a variety of servers (Windows, Samba etc.)
> If you are getting rc=-95 from getcifsacl or setcifsacl the most
> likely reason is that the local path you specified is not on an
> cifs.ko (e.g. SMB3) mount.   It is also possible that ACL support was
> disabled when building cifs.ko (you can do "cat
> /proc/fs/cifs/DebugData | grep Features" to list the build options
> that were used to build cifs.ko such as whether ACL support was
> enabled)
> On Tue, Feb 26, 2019 at 03:05:12PM +0000, Kraus, Sebastian via samba wrote:
> > Dear all,
> > what is about the support for POSIX ACL in Samba protocol implementation of SMB2 and SMB3?
> > From what I extracted from SNIA and SambaXP developer conference talks and as well as the official Samba Wiki,
> > support for POSIX ACL in SMB2 and SMB3 has been completely abandonned. Am I right?
> > If so, is there any other possibility to allow Linux Clients to natively access access control lists
> > (via NT Security Descriptor, NFSv4 ACL, CIFS ACL) under SMB2/SMB3 on commandline and/or from GUI applications?
> --
> Thanks,
> Steve

More information about the samba mailing list