Access Control Lists on SMB Shares

An ACL on a ZFS share provides the same level of access control as a Windows ACL does for its shares. Each share can have an ACL that includes entries to specify which types of access are allowed or denied to users and groups. Like host-based access control, this mechanism is a share-level form of access control and does not apply to local file access.

These share ACLs are only available for ZFS shares. You can manage a ZFS share's ACL in the Oracle Solaris OS by using the chmod and ls commands. For more information, see the chmod(1) and ls(1) man pages. You can also manage these ACLs by using the Windows share management GUI on a Windows client. For more information, see Setting ACLs on ZFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.4.

Although a ZFS file system is used to store a share's ACL, the access control is enforced by the SMB server each time a client requests a connection to a share. Access control lists are enforced only for SMB access, not for local access or access through other protocols. The default ACL setting permits full access to everyone.

Administrators with appropriate privileges can set ACL entries to audit access attempts to specific files. For more information about auditing events related to specific files, see New Feature – Per-Object Logging of Audit Events in Managing Auditing in Oracle Solaris 11.4. For information about how to specify files that must be audited, see Specifying Files or Directories to Be Audited in Managing Auditing in Oracle Solaris 11.4. For information about how to access SMB authentications using the audit tools, see SMB Auditing.

Note:

You cannot specify an ACL on an autohome share. Autohome shares are created at runtime with a predefined, unmodifiable ACL that grants full control to the owner. Only the autohome share owner can access the share.