When an SMB client tries to access a native SMB file (that is, with Windows security information), the server checks the user information against the file's security information to determine whether an operation is permissible:
- User Security. This information is contained in an access token, which is made up of the user security identifier (SID), primary group SID, and other SIDs. The server receives the token from the domain controller and caches it for use throughout the user's session.
- File Security. This information is contained in a file's security descriptor, which is made up of the owner SID, group SID, and access control list (ACL). The ACL can contain several access control entries (ACEs), which specify the conditions for access.
ACE entries can be modified or deleted using a set of CLI commands called the cacls commands. This set of commands includes cacls-add, cacls-del, cacls-fields, cacls-mask-in, cacls-mask-out, and cacls-set. For more information on these commands, refer to the Command Line Reference.
Note: SMB can assign rights to machine (computer) accounts. A machine account is generated automatically by the operating system and registered in Active Directory. It can be used for authentication within a domain. A machine account authentication can be only done by an application which has built-in support. For example, Hyper-V server allows storing virtual machines on remote shares. Such shares should allow full access for the machine account of a computer running Hyper-V server. The feature acts the same way as authentication of a normal user for an SMB session. Authenticated connection using machine account will show up in "connection" command output as it was a normal user connection. Man pages for
cifs-saa and
cacls-add include an example of computer account use.