diff --git a/docs/htmldocs/smbcacls.1.html b/docs/htmldocs/smbcacls.1.html
index a48330c5b6b..b7a048a1f3e 100644
--- a/docs/htmldocs/smbcacls.1.html
+++ b/docs/htmldocs/smbcacls.1.html
@@ -17,7 +17,7 @@
NAME
- smbcacls - Set or get ACLs on an NT file
+ smbcacls - Set or get ACLs on an NT file or directory
SYNOPSIS
@@ -33,24 +33,27 @@ SMB file shares.
OPTIONS
-The following options are available to the smbcacls program:
+
The following options are available to the smbcacls program. The
+format of ACLs is described in the section ACL FORMAT
- -A acls
-
-
Add the ACLs specified to the ACL list.
+
Add the ACLs specified to the ACL list. Existing access control entries
+are unchanged.
- -M acls
-
Modify the mask value (permissions) for the ACLs specified on the command
-line. An error will be printed if the ACL specified is not already present
-in the ACL list
+line. An error will be printed for each ACL specified that was not already
+present in the ACL list.
- -D acls
-
-
Delete any ACLs specfied on the command line. An error is printed if any
-of the ACLs specified are not present in the ACL list.
+
Delete any ACLs specfied on the command line. An error will be printed for
+each ACL specified that was not already present in the ACL list.
- -S acls
-
-
This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line.
+
This command sets the ACLs on the file with only the ones specified on the
+command line. All other ACLs are erased. Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed.
- -U username
-
Specifies a username used to connect to the specified service. The
@@ -68,6 +71,58 @@ format.
- -h
-
Print usage information on the smbcacls program
+
+
ACL FORMAT
+
+The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines. An ACL entry is one of the following:
+
+
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>
+
+
+The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor. If not specified it defaults to 1.
+
The owner and group specify the owner and group sids for the object. If a
+SID in the format S-1-x-y-z is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides.
+
ACLs specify permissions granted to the SID. This SID again can be
+specified in S-1-x-y-z format or as a name in which case it is resolved
+against the server on which the file or directory resides. The type, flags
+and mask values determine the type of access granted to the SID.
+
The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID. The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs. Some common flags are:
+
+
+#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
+
+
+The mask is a value which expresses the access right granted to
+the SID. It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name.
+
+-
R Allow read access
+ -
W Allow write access
+ -
X Execute permission on the object
+ -
D Delete the object
+ -
P Change permissions
+ -
O Take ownership
+
+The following combined permissions can be specified:
+
+-
READ Equivalent to RX permissions
+ -
CHANGE Equivalent to RXWD permissions
+ -
FULL Equivalent to RWXDPO permissions
+
EXIT STATUS
diff --git a/docs/manpages/smbcacls.1 b/docs/manpages/smbcacls.1
index 69e9a92ef4b..52b6a6ce3f4 100644
--- a/docs/manpages/smbcacls.1
+++ b/docs/manpages/smbcacls.1
@@ -1,7 +1,7 @@
.TH "smbcacls " "1" "3 Dec 2000" "Samba" "SAMBA"
.PP
.SH "NAME"
-smbcacls \- Set or get ACLs on an NT file
+smbcacls \- Set or get ACLs on an NT file or directory
.PP
.SH "SYNOPSIS"
.PP
@@ -17,28 +17,31 @@ SMB file shares\&.
.PP
.SH "OPTIONS"
.PP
-The following options are available to the \fBsmbcacls\fP program:
+The following options are available to the \fBsmbcacls\fP program\&. The
+format of ACLs is described in the section ACL FORMAT
.PP
.IP
.IP "\fB-A acls\fP"
.IP
-Add the ACLs specified to the ACL list\&.
+Add the ACLs specified to the ACL list\&. Existing access control entries
+are unchanged\&.
.IP
.IP "\fB-M acls\fP"
.IP
Modify the mask value (permissions) for the ACLs specified on the command
-line\&. An error will be printed if the ACL specified is not already present
-in the ACL list
+line\&. An error will be printed for each ACL specified that was not already
+present in the ACL list\&.
.IP
.IP "\fB-D acls\fP"
.IP
-Delete any ACLs specfied on the command line\&. An error is printed if any
-of the ACLs specified are not present in the ACL list\&.
+Delete any ACLs specfied on the command line\&. An error will be printed for
+each ACL specified that was not already present in the ACL list\&.
.IP
.IP "\fB-S acls\fP"
.IP
-This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line\&.
+This command sets the ACLs on the file with only the ones specified on the
+command line\&. All other ACLs are erased\&. Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed\&.
.IP
.IP "\fB-U username\fP"
.IP
@@ -60,6 +63,88 @@ format\&.
Print usage information on the \fBsmbcacls\fP program
.IP
.PP
+.SH "ACL FORMAT"
+.PP
+The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines\&. An ACL entry is one of the following:
+.PP
+
+.nf
+
+
+REVISION:
+OWNER:
+GROUP:
+ACL:://
+.fi
+
+
+.PP
+The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor\&. If not specified it defaults to 1\&.
+.PP
+The owner and group specify the owner and group sids for the object\&. If a
+SID in the format \f(CWS-1-x-y-z\fP is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides\&.
+.PP
+ACLs specify permissions granted to the SID\&. This SID again can be
+specified in \f(CWS-1-x-y-z\fP format or as a name in which case it is resolved
+against the server on which the file or directory resides\&. The type, flags
+and mask values determine the type of access granted to the SID\&.
+.PP
+The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID\&. The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs\&. Some common flags are:
+.PP
+
+.nf
+
+
+#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY 0x8
+.fi
+
+
+.PP
+The mask is a value which expresses the access right granted to
+the SID\&. It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name\&.
+.PP
+.IP
+.IP ""
+\f(CWR\fP Allow read access
+.IP
+.IP ""
+\f(CWW\fP Allow write access
+.IP
+.IP ""
+\f(CWX\fP Execute permission on the object
+.IP
+.IP ""
+\f(CWD\fP Delete the object
+.IP
+.IP ""
+\f(CWP\fP Change permissions
+.IP
+.IP ""
+\f(CWO\fP Take ownership
+.IP
+.PP
+The following combined permissions can be specified:
+.PP
+.IP
+.IP ""
+\f(CWREAD\fP Equivalent to \f(CWRX\fP permissions
+.IP ""
+\f(CWCHANGE\fP Equivalent to \f(CWRXWD\fP permissions
+.IP ""
+\f(CWFULL\fP Equivalent to \f(CWRWXDPO\fP permissions
+.IP
+.PP
.SH "EXIT STATUS"
.PP
.SH "AUTHOR"
diff --git a/docs/yodldocs/smbcacls.1.yo b/docs/yodldocs/smbcacls.1.yo
index d95ca6d387e..249042ce2cb 100644
--- a/docs/yodldocs/smbcacls.1.yo
+++ b/docs/yodldocs/smbcacls.1.yo
@@ -1,7 +1,7 @@
manpage(smbcacls htmlcommand((1)))(1)(3 Dec 2000)(Samba)(SAMBA)
label(NAME)
-manpagename(smbcacls)(Set or get ACLs on an NT file)
+manpagename(smbcacls)(Set or get ACLs on an NT file or directory )
label(SYNOPSIS)
manpagesynopsis()
@@ -20,33 +20,36 @@ SMB file shares.
label(OPTIONS)
manpageoptions()
-The following options are available to the bf(smbcacls) program:
+The following options are available to the bf(smbcacls) program. The
+format of ACLs is described in the section link(ACL FORMAT)(ACLFORMAT)
startdit()
label(minusA)
dit(bf(-A acls))
-Add the ACLs specified to the ACL list.
+Add the ACLs specified to the ACL list. Existing access control entries
+are unchanged.
label(minusM)
dit(bf(-M acls))
Modify the mask value (permissions) for the ACLs specified on the command
-line. An error will be printed if the ACL specified is not already present
-in the ACL list
+line. An error will be printed for each ACL specified that was not already
+present in the ACL list.
label(minusD)
dit(bf(-D acls))
-Delete any ACLs specfied on the command line. An error is printed if any
-of the ACLs specified are not present in the ACL list.
+Delete any ACLs specfied on the command line. An error will be printed for
+each ACL specified that was not already present in the ACL list.
label(minusS)
dit(bf(-S acls))
-This command deletes the current ACLs for the file or directory and
-replaces them with the ACLs specified on the command line.
+This command sets the ACLs on the file with only the ones specified on the
+command line. All other ACLs are erased. Note that the ACL specified must
+contain at least a revision, type, owner and group for the call to succeed.
label(minusU)
dit(bf(-U username))
@@ -72,7 +75,73 @@ Print usage information on the bf(smbcacls) program
enddit()
-label(EXIT STATUS)
+label(ACLFORMAT)
+manpagesection(ACL FORMAT)
+
+The format of an ACL is one or more ACL entries separated by either spaces,
+commas or newlines. An ACL entry is one of the following:
+
+verb(
+REVISION:
+OWNER:
+GROUP:
+ACL:://)
+
+The revision of the ACL specifies the internal Windows NT ACL revision for
+the security descriptor. If not specified it defaults to 1.
+
+The owner and group specify the owner and group sids for the object. If a
+SID in the format tt(S-1-x-y-z) is specified this is used, otherwise
+the name specified is resolved using the server on which the file or
+directory resides.
+
+ACLs specify permissions granted to the SID. This SID again can be
+specified in tt(S-1-x-y-z) format or as a name in which case it is resolved
+against the server on which the file or directory resides. The type, flags
+and mask values determine the type of access granted to the SID.
+
+The type can be either 0 or 1 corresponding to ALLOWED or DENIED access to
+the SID. The flags values are generally zero for file ACLs and either 9 or
+2 for directory ACLs. Some common flags are:
+
+verb(
+#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
+#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
+#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
+#define SEC_ACE_FLAG_INHERIT_ONLY 0x8)
+
+The mask is a value which expresses the access right granted to
+the SID. It can be given as a hexadecimal value or by using one of the
+following text strings which map to the NT file permissions of the same
+name.
+
+startdit()
+
+dit() tt(R) Allow read access
+
+dit() tt(W) Allow write access
+
+dit() tt(X) Execute permission on the object
+
+dit() tt(D) Delete the object
+
+dit() tt(P) Change permissions
+
+dit() tt(O) Take ownership
+
+enddit()
+
+The following combined permissions can be specified:
+
+startdit()
+
+dit() tt(READ) Equivalent to tt(RX) permissions
+dit() tt(CHANGE) Equivalent to tt(RXWD) permissions
+dit() tt(FULL) Equivalent to tt(RWXDPO) permissions
+
+enddit()
+
+label(EXITSTATUS)
manpagesection(EXIT STATUS)
label(AUTHOR)