Answering my own call for help (since "the enemy was me")..
> From: James G. Sack <jgsack@san.rr.com>
> ..Date: 20 Aug 2004 01:30:46 -0700
>..
> I can't seem to grasp the right syntax for smbcacls
> I try to give tstuser read-perms
> smbcacls //x126/b1 hi -Ujgs%jgs -M
'ACL:"X126"\tstuser:1/0/R'
> and I get
> Failed to parse ACL ACL:X126\tstuser
>
> Any syntax variation I try (incl, ie: ALLOWED in place of the 1)
> produces the same error.
> -d3 adds
> lsa_io_sec_qos: length c does not match size 8
I got my answer
by:
1. looking at the source in smbcacls.c (ain't Open Source great!)
2. slowing down, and proceding more methodically
3. paying closer attention to instructions AND error messages
- The quotes around my hostname X126 were a result of extraneous quotes
in smb.conf netbios name=. Eliminating the quotes gave me more normal
behavior to smbclient -L and nmblookup.
- I believe I may have been typing lowercase "allowed" instead of
"ALLOWED, and perhaps even / instead of \ (sometimes), so slowing down
got me to the realization that ..:'X126\tstuser':ALLOWED.. or
..X126\\tstuser:ALLOWED.. or simply ..:tstuser:ALLOWED.. all work
equally well, and eliminate the "Failed to parse" message.
I may sometimes have also been typing "RW" (and invalidating my ACL
string).
- At times I was using -M when I should have been using -a, and not
noticing that the message changed to
"ACL for SID X126\tstuser not found"
and I also think I was *assuming* that ALLOWED/DENIED must be the same
as 1/0 <heh>.
==> So for others who may benefit from explicit examples:
on an object "hi" that has no ACLs for user tstuser
("hi" owned by jgs, in a share and directory writable by jgs),
smbcacls -Ujgs%jgs -a ACL:tstuser:ALLOWED/0/R //localhost/b1 hi
works fine (although I still don't understand why the resulting perms
seem different from what I asked for, unless I use numeric vals --
eg,0x00120089).
..and..
smbcacls -Ujgs%jgs -M ACL:tstuser:ALLOWED/0/R //localhost/b1 hi
works fine after user tstuser shows some (any) acl properties.
Also: the -D refuses to delete an ACL unless you specify exactly the
correct existing value, so, it may be useful to give a sequence like:
-M .../FULL
followed by a
-D .../FULL
Regards,
..jim