Attempting to modify an ACE with "smbcacls", when another ACE exists that applies to the same user, can lead to unintended removal of the ACE: ------------------------------ mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes REVISION:1 CONTROL:SR|DP OWNER:VPTC3\cifsuser GROUP:VPTC3\Domain Users ACL:VPTC3\Domain Admins:ALLOWED/CI/FULL ACL:VPTC3\Domain Admins:ALLOWED/OI|IO/RWDPO ACL:VPTC3\ptstest:ALLOWED/CI/READ ACL:VPTC3\ptstest:ALLOWED/OI|IO/R ACL:VPTC3\cifsuser:ALLOWED/CI/FULL ACL:VPTC3\cifsuser:ALLOWED/OI|IO/RWDPO mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes -M "ACL:VPTC3\ptstest:ALLOWED/CI/FULL" mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes REVISION:1 CONTROL:SR|DP OWNER:VPTC3\cifsuser GROUP:VPTC3\Domain Users ACL:VPTC3\Domain Admins:ALLOWED/CI/FULL ACL:VPTC3\Domain Admins:ALLOWED/OI|IO/RWDPO ACL:VPTC3\ptstest:ALLOWED/CI/FULL # the "ALLOWED/OI|IO/R" ACE that applies to "VPTC3\ptstest" is missing ACL:VPTC3\cifsuser:ALLOWED/CI/FULL ACL:VPTC3\cifsuser:ALLOWED/OI|IO/RWDPO mcrs3:/TCS # ------------------------------ The smbcacls man page states that the "-M" option should "Modify the mask value (permissions) for the ACEs specified on the command line", with no mention of the flags. The ACE is defined as "ACL:<sid or name>:<type>/<flags>/<mask>". In this case, my expectation is that for any ACE in which the name, type, and flags match, the mask will be updated. It also seems incorrect that the entries are prefixed with "ACL" rather than "ACE". My version of sernet-samba is 99:4.12.2-11.suse150.