samba - Sep 2021 - Cannot set permissions from Windows: "Failed to Enumerate Objects in the Container. Access is denied."

Hi, 

 

I have a domain joined Samba fileserver, I'm attempting to grant permissions
based on AD Objects. I'm able to access the share after chown on the mount
path, however permissions cannot be adjusted from the Windows client.

 

Nothing stands in the logs stand out at default logging level.

 

smbstatus --version

Version 4.11.6-Ubuntu

 

Here is my /etc/samba/user.map:

 

!root = ${DOMAINNAME}\Administrator ${DOMAINNAME}\administrator
Administrator administrator

 

/etc/samba/smb.conf:

 

[global]

    workgroup = ${DOMAINNAME}

    security = ADS

    realm = ${DNSDOMAIN}

 

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

    server string = Data %h

 

    winbind use default domain = yes

    winbind expand groups = 4

    winbind nss info = rfc2307

    winbind refresh tickets = Yes

    winbind offline logon = yes

    winbind normalize names = Yes

 

    ## map ids outside of domain to tdb files.

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

    ## map ids from the domain  the ranges may not overlap !

    idmap config ${DOMAINNAME} : backend = rid

    idmap config ${DOMAINNAME} : range = 10000-999999

    template shell = /bin/bash

    template homedir = /home/${DOMAINNAME}/%U

 

    domain master = no

    local master = no

    preferred master = no

    os level = 20

    #map to guest = bad user

    host msdfs = no

 

    # user Administrator workaround, without it you are unable to set
privileges

    username map = /etc/samba/user.map

 

    # For ACL support on domain member

    vfs objects = acl_xattr

    map acl inherit = Yes

    store dos attributes = Yes

    acl_xattr:ignore system acls = yes

 

    # Share Setting Globally

    #unix extensions = no

    #reset on zero vc = yes

    #veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/

    #hide unreadable = yes

 

    # disable printing completely

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes

 

    # Security

    #client ipc max protocol = SMB3

    #client ipc min protocol = SMB2_10

    #client max protocol = SMB3

    #client min protocol = SMB2_10

    #server max protocol = SMB3

    #server min protocol = SMB2_10

 

    # Time Machine

    #fruit:delete_empty_adfiles = yes

    #fruit:time machine = yes

    #fruit:veto_appledouble = no

    #fruit:wipe_intentionally_left_blank_rfork = yes

 

[${VOLUME}]

   path = /share/samba/${VOLUME}

   read only = no

   #guest ok = no

   #veto files
/.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network
Trash Folder/Temporary Items/Thumbs.db/

   #delete veto files = yes

On Wed, 2021-09-15 at 14:35 -0400, cpierre--- via samba
wrote:
> Hi, 
> 
>  
> 
> I have a domain joined Samba fileserver, I'm attempting to grant
> permissions
> based on AD Objects. I'm able to access the share after chown on the
> mount
How did you 'chown' the permissions ?
> path, however permissions cannot be adjusted from the Windows client.
> 
>  
> 
> Nothing stands in the logs stand out at default logging level.
> 
>  
> 
> smbstatus --version
> 
> Version 4.11.6-Ubuntu
>  
> Here is my /etc/samba/user.map:
>  
> !root = ${DOMAINNAME}\Administrator ${DOMAINNAME}\administrator
> Administrator administrator
> 
You do not need all that, just:
!root = ${DOMAINNAME}\Administrator
>  
> 
> /etc/samba/smb.conf:
>  
> [global]
>     workgroup = ${DOMAINNAME}
>     security = ADS
>     realm = ${DNSDOMAIN}
>  
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     server string = Data %h
>  
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind nss info = rfc2307
>     winbind refresh tickets = Yes
>     winbind offline logon = yes
>     winbind normalize names = Yes
>  
>     ## map ids outside of domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config ${DOMAINNAME} : backend = rid
>     idmap config ${DOMAINNAME} : range = 10000-999999
>     template shell = /bin/bash
>     template homedir = /home/${DOMAINNAME}/%U
>  
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     #map to guest = bad user
>     host msdfs = no
>  
>     # user Administrator workaround, without it you are unable to set
> privileges
>     username map = /etc/samba/user.map
>  
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>     acl_xattr:ignore system acls = yes
>  
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> [${VOLUME}]
>    path = /share/samba/${VOLUME}
>    read only = no
> 
There doesn't seem to be anything wrong there, is apparmor getting in
the way ?

Have you read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland