The SMB server uses the following access-control mechanisms to limit access to data shared by using SMB:
Host-based access control limits access to shares based on which client system is making the request.
Share ACLs limit user and group access to shares.
File and directory ACLs limit user and group access to individual files and directories.
Host-based access control is applied first and grants or denies access to the client system. If the client system is granted access, the share ACL is then applied to grant or deny access to the user. Finally, the individual file and directory ACLs are consulted. You can access the data shared by using SMB only if all three access control mechanisms allow the access.
Shares are always created with the default share ACL and, unless otherwise specified when the share is created, default host-based access control. You can apply non-default share ACLs to the share after the share is created.
Host-based access control enables you to limit the access of a host or group of hosts to an SMB share. This host-based access control is enforced only for SMB access, not for local access or access through other protocols. By default, all hosts have full access to a share. The SMB server enforces host-based access control each time a client requests a connection to a share.
You can use the zfs set and share commands to specify host-based access control on a share. For more information, see How to Restrict Client Host Access to an SMB Share (zfs). For more information about share command, see the share (1M) man page. For more information about zfs command, see the zfs (1M) man page. For more information about SMB shares, see the share_smb (1M) man page. For information about the available options for sharing ZFS file system, see the zfs_share (1M) man page.
An ACL on a ZFS share provides the same level of access control as a Windows ACL does for its shares. Each share can have an ACL that includes entries to specify which types of access are allowed or denied to users and groups. Like host-based access control, this mechanism is a share-level form of access control and does not apply to local file access.
These share ACLs are only available for ZFS shares. You can manage a ZFS share's ACL in the Oracle Solaris OS by using the chmod and ls commands. For more information, see the chmod (1) and ls (1) man pages. You can also manage these ACLs by using the Windows share management GUI on a Windows client. For more information, see Setting ACLs on ZFS Files in Managing ZFS File Systems in Oracle Solaris 11.2 .
Although a ZFS file system is used to store a share's ACL, the access control is enforced by the SMB server each time a client requests a connection to a share. Access control lists are enforced only for SMB access, not for local access or access through other protocols. The default ACL setting permits full access to everyone.