osdc at mailbox.org
2017-Mar-29 12:24 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
Dear colleagues and samba-experts,
I installed a samba-file-server as a samba domain-member using debian
jessie-packages, following the samba-manual "Setting up Samba as a Domain
Member".
I can access the shares and create files but there are issues concerning
security.
As proposed I am using RSAT (on a german Windows 10 Pro, logged in as Domain
Administrator) to set details concerning the shares.
When for example I want to remove "everyone" from accessing a share
and try to save it, I receive the following message:
---
german:
Fehler beim Anwenden der Sicherheit
Fehler beim Anwenden von Sicherheitsinformationen auf:
\\samba-fs\museum.rubens.world\mrtx
Fehler beim Aufzählen der Objekte im Container. Zugriff verweigert.
english:
Error applying security
An error occurred while applying security information to:
\\samba-fs\museum.rubens.world\mrtx
Failed to enumerate objects in the container. Access is denied.
---
The same messages occur, if I try to change anything else. For example taking
ownership is not possible.
Furthermore, I need to set user/group via chown to see the owner. If I do not,
the owner can not be shown.
Sometimes I receive another error message from windows security:
'Die Berechtigungsinformationen für "xyz
(\\samba-fs.museum.rubens.world)" wurden nicht gespeichert.
Zugriff verweigert'
I could not find the english original version of that error message. It may be:
'Security for "..." could not be applied. Access denied'
There is another error message I receive but I guess it does not have to do with
it - when joining the domain I receive these error messages:
---
root at samba-fs:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- RUBENS
Joined 'SAMBA-FS' to dns domain 'museum.rubens.world'
DNS Update for samba-fs.museum.rubens.world failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
---
I followed the guides "Troubleshooting Samba Domain Members" and
"Testing Dynamic DNS Updates"
On both dc's I get the following:
---
root at dc2:~# samba_dnsupdate --verbose --all-names
IPs: ['192.168.0.242']
Calling nsupdate for A dc2.museum.rubens.world 192.168.0.242 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc2.museum.rubens.world. 900 IN A 192.168.0.242
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for A museum.rubens.world 192.168.0.242 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
museum.rubens.world. 900 IN A 192.168.0.242
[...]
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.museum.rubens.world
dc2.museum.rubens.world 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.museum.rubens.world.
900 IN SRV 0 100 389 dc2.museum.rubens.world.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 26 entries
---
This seems to be a harmless bug:
https://lists.samba.org/archive/samba/2015-March/190408.html
But it may be related to the problem.
I updated from debian jessie to stretch, hoping to improve the situation, but
that did not help.
the domain controllers run Samba 4.2.14-Debian.
My samba-fs-Setup:
root at samba-fs:~# samba -V
Version 4.5.6-Debian
---
root at samba-fs:~# cat /etc/krb5.conf
[libdefaults]
default_realm = MUSEUM.RUBENS.WORLD
dns_lookup_realm = false
dns_lookup_kdc = true
---
root at samba-fs:~# cat /etc/resolv.conf
search museum.rubens.world
nameserver 192.168.0.241
---
root at samba-fs:~# cat /etc/hosts
127.0.0.1 localhost
192.168.0.243 samba-fs.museum.rubens.world samba-fs
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
---
root at samba-fs:~# cat /etc/samba/smb.conf
[global]
workgroup = RUBENS
realm = MUSEUM.RUBENS.WORLD
netbios name = SAMBA-FS
security = ADS
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 70000-79999
idmap config RUBENS:backend = rid
idmap config RUBENS:schema_mode = rfc2307
idmap config RUBENS:range = 3000000-4000000
map untrusted to domain = yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
username map = /etc/samba/user.map
guest account = nobody
printing = bsd
printcap name = /etc/printcap
[gf]
path = /fs/gf
read only = no
admin users = "@RUBENS\Domain Admins"
---
root at samba-fs:~# ls -la /fs/gf/
insgesamt 12
drwxrwxrwx+ 2 administrator domain admins 4096 Mär 27 16:20 .
drwxrwxrwx 3 administrator domain admins 4096 Mär 29 14:05 ..
---
root at samba-fs:~# pstree
systemd─┬─acpid
├─agetty
├─atd
├─cron
├─dbus-daemon
├─exim4
├─nmbd
├─ntpd───{ntpd}
├─rpc.idmapd
├─rpc.statd
├─rpcbind
├─rsyslogd─┬─{in:imklog}
│ ├─{in:imuxsock}
│ └─{rs:main Q:Reg}
├─smbd─┬─cleanupd
│ ├─lpqd
│ ├─smbd
│ └─smbd-notifyd
├─sshd───sshd───bash───su───bash───pstree
├─sshd
├─systemd-journal
├─systemd-logind
├─systemd-udevd
└─winbindd───4*[winbindd]
---
root at samba-fs:~# net rpc rights list privileges SeDiskOperatorPrivilege -U
"RUBENS\administrator"Enter RUBENS\administrator's password:
SeDiskOperatorPrivilege:
RUBENS\Administrator
RUBENS\domain admins
BUILTIN\Administrators
---
Rowland Penny
2017-Mar-29 12:51 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
On Wed, 29 Mar 2017 14:24:50 +0200 (CEST) martin via samba <samba at lists.samba.org> wrote:> > --- > > root at samba-fs:~# ls -la /fs/gf/ > insgesamt 12 > drwxrwxrwx+ 2 administrator domain admins 4096 Mär 27 16:20 . > drwxrwxrwx 3 administrator domain admins 4096 Mär 29 14:05 .. >That looks suspect, what is in '/etc/samba/user.map' ? Administrator shouldn't resolve on a Unix domain member, it should be mapped to root. Rowland
osdc at mailbox.org
2017-Mar-29 13:37 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
> Rowland Penny via samba <samba at lists.samba.org> hat am 29. März 2017 um 14:51 geschrieben:> > > > root at samba-fs:~# ls -la /fs/gf/ > > insgesamt 12 > > drwxrwxrwx+ 2 administrator domain admins 4096 Mär 27 16:20 . > > drwxrwxrwx 3 administrator domain admins 4096 Mär 29 14:05 .. > > > > That looks suspect, what is in '/etc/samba/user.map' ?--- root at samba-fs:~# cat /etc/samba/user.map !root = RUBENS\Administrator RUBENS\administrator --- I used the default before, root:root 600, I believe. I am just having an unrelated hardware problem with the drive of the fileserver so i am using the opportunity to start a completely new setup of the domain member.
Rowland Penny
2017-Mar-29 13:41 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
On Wed, 29 Mar 2017 15:35:21 +0200 (CEST) Martin Hauptmann <post at mailbox.org> wrote:> > Rowland Penny via samba <samba at lists.samba.org> hat am 29. März > > 2017 um 14:51 geschrieben: > > > > > > > root at samba-fs:~# ls -la /fs/gf/ > > > insgesamt 12 > > > drwxrwxrwx+ 2 administrator domain admins 4096 Mär 27 16:20 . > > > drwxrwxrwx 3 administrator domain admins 4096 Mär 29 14:05 .. > > > > > > > That looks suspect, what is in '/etc/samba/user.map' ? > > --- > > root at samba-fs:~# cat /etc/samba/user.map > !root = RUBENS\Administrator RUBENS\administrator > > --- > > I used the default before, root:root 600, I believe. I am just having > an unrelated hardware problem with the drive of the fileserver so i > am using the opportunity to start a completely new setup of the > domain member.I use the 'ad' backend and you cannot 'chown Administrator', so I suggest you revert to using 'root' and also follow this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
L.P.H. van Belle
2017-Mar-29 14:19 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
I've commented inbetween the lines, but first do what Rowland already told you. When done, read on, some other pointers. ...>> Dear colleagues and samba-experts,>> I installed a samba-file-server as a samba domain-member using debian> jessie-packages, following the samba-manual "Setting up Samba as a Domain> Member".>> I can access the shares and create files but there are issues concerning> security.>> As proposed I am using RSAT (on a german Windows 10 Pro, logged in as> Domain Administrator) to set details concerning the shares.>> When for example I want to remove "everyone" from accessing a share and> try to save it, I receive the following message:Ok, before you remove it add "authenticated users”, with full controll to the "SHARE" security. Klik apply, remove everyone, if that does not work, reboot your pc first or logout/login again.>> ---> german:>> Fehler beim Anwenden der Sicherheit>> Fehler beim Anwenden von Sicherheitsinformationen auf:>> \\samba-fs\museum.rubens.world\mrtxIs this correct because based on your smb.conf i would expect. Typo? \\samba-fs.museum.rubens.world\mrtx> There is another error message I receive but I guess it does not have to> do with it - when joining the domain I receive these error messages:>> --->> root at samba-fs:~# net ads join -U administrator> Enter administrator's password:> Using short domain name -- RUBENS> Joined 'SAMBA-FS' to dns domain 'museum.rubens.world'> DNS Update for samba-fs.museum.rubens.world failed:> ERROR_DNS_UPDATE_FAILED> DNS update failed: NT_STATUS_UNSUCCESSFUL>Check your dns if the correct record exists.> --->> I followed the guides "Troubleshooting Samba Domain Members" and "Testing> Dynamic DNS Updates">> On both dc's I get the following:>> --->> root at dc2:~# samba_dnsupdate --verbose --all-names>> IPs: ['192.168.0.242']> Calling nsupdate for A dc2.museum.rubens.world 192.168.0.242 (add)> Outgoing update query:> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0> ;; UPDATE SECTION:> dc2.museum.rubens.world. 900 IN A 192.168.0.242>> ; TSIG error with server: tsig verify failure> Failed nsupdate: 2> Calling nsupdate for A museum.rubens.world 192.168.0.242 (add)> Outgoing update query:> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0> ;; UPDATE SECTION:> museum.rubens.world. 900 IN A 192.168.0.242>> [...]>> ; TSIG error with server: tsig verify failure> Failed nsupdate: 2> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-> Name._sites.ForestDnsZones.museum.rubens.world dc2.museum.rubens.world 389> (add)> Outgoing update query:> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0> ;; UPDATE SECTION:> _ldap._tcp.Default-First-Site-> Name._sites.ForestDnsZones.museum.rubens.world. 900 IN SRV 0 100 389> dc2.museum.rubens.world.>> ; TSIG error with server: tsig verify failure> Failed nsupdate: 2> Failed update of 26 entries>> --->> This seems to be a harmless bug:> https://lists.samba.org/archive/samba/2015-March/190408.html>> But it may be related to the problem.>>> I updated from debian jessie to stretch, hoping to improve the situation,> but that did not help.>> the domain controllers run Samba 4.2.14-Debian.If you want you can safely upgrade your DC’s with my 4.5.3 packages.>> My samba-fs-Setup:>>> root at samba-fs:~# samba -V> Version 4.5.6-Debian>> --->> root at samba-fs:~# cat /etc/krb5.conf> [libdefaults]> default_realm = MUSEUM.RUBENS.WORLD> dns_lookup_realm = false> dns_lookup_kdc = true>> --->> root at samba-fs:~# cat /etc/resolv.conf> search museum.rubens.world> nameserver 192.168.0.241Add the second DC also.>> ---> root at samba-fs:~# cat /etc/hosts> 127.0.0.1 localhost> 192.168.0.243 samba-fs.museum.rubens.world samba-fs>> # The following lines are desirable for IPv6 capable hosts> ::1 localhost ip6-localhost ip6-loopback> ff02::1 ip6-allnodes> ff02::2 ip6-allrouters>> --->> root at samba-fs:~# cat /etc/samba/smb.conf> [global]> workgroup = RUBENS> realm = MUSEUM.RUBENS.WORLD> netbios name = SAMBA-FS> security = ADS> encrypt passwords = yes>> log file = /var/log/samba/%m.log> log level = 1>> idmap config * : backend = tdb> idmap config * : range = 70000-79999> idmap config RUBENS:backend = rid> idmap config RUBENS:schema_mode = rfc2307If you use RID, remove "idmap config RUBENS:schema_mode = rfc2307"> idmap config RUBENS:range = 3000000-4000000>> map untrusted to domain = yes>> winbind nss info = rfc2307> winbind trusted domains only = no> winbind use default domain = yes> winbind enum users = yes> winbind enum groups = yes>> vfs objects = acl_xattr> map acl inherit = yes> store dos attributes = yes> username map = /etc/samba/user.map>> guest account = nobody> printing = bsd> printcap name = /etc/printcap>> [gf]> path = /fs/gf> read only = no> admin users = "@RUBENS\Domain Admins"Are you setting up with POSIX ACL or Windows ACL? If windows ACl, remove admin users = "@RUBENS\Domain Admins" And set it from withing windows. Im wondering if a username map is allowed in a share? I dont know that.>> --->> root at samba-fs:~# net rpc rights list privileges SeDiskOperatorPrivilege -U> "RUBENS\administrator"Enter RUBENS\administrator's password:> SeDiskOperatorPrivilege:> RUBENS\Administrator> RUBENS\domain admins> BUILTIN\AdministratorsThis is not how to set it. You only need : BUILTIN\Administrators Because "RUBENS\domain admins" is member of " BUILTIN\Administrators" And "RUBENS\Administrator" is member of "RUBENS\domain admins" If the server isnt in production yet. Try the following on the samba-fs, remove it from the domain, cleanup, and re-add it. Stop samba winbind smbd nmbd. #Login: kinit Administrator #leave the domain. net ads remove -k #cleanup. mv /etc/krb5.keytab{,.old} rm /var/lib/samba/*.tdb rm /var/lib/samba/private*.tdb rm /var/cache/samba/*.tdb rm /var/cache/samba/*.dat #dns mananager: Now check your dns if there still is an dns A record for this host. If it is, remove it. #AD user/computers. Remove the computer samba-fs there also. #Wait a min. Now add the samba-fs again. net ads join -k and see what happens then. Greetz, Louis
osdc at mailbox.org
2017-Mar-29 18:17 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
Hi colleagues, I am deeply impressed about the quick support onb this list. Thank you a lot.> "L.P.H. van Belle via samba" <samba at lists.samba.org> hat am 29. März 2017 um 16:19 geschrieben: > > > I've commented inbetween the lines, but first do what Rowland already told you. > > When done, read on, some other pointers. >> > > \\samba-fs\museum.rubens.world\mrtx > > Is this correct because based on your smb.conf i would expect. Typo? >yes, that was some share i tested with before.> > > > > the domain controllers run Samba 4.2.14-Debian. > > If you want you can safely upgrade your DC’s with my 4.5.3 packages.Usually I prefer the standard debian packages for not breaking their security concept. But that old samba may cause some of the trouble I would like to avoid. So your offer sounds great, are they debs? Where do I find them?> > Add the second DC also.okay> > > Are you setting up with POSIX ACL or Windows ACL? > > If windows ACl, remove admin users = "@RUBENS\Domain Admins"Yes, Windows ACL> > If the server isnt in production yet.It was not and I had to start a complete new setup. the ssd has died and i did not have any backups, raid or stuff setup. Now I am stuck with the problem, that wbinfo works but getent shows only local users or groups. I hope a more up to date samba will resolve that. Your help is appreciated. martin
L.P.H. van Belle
2017-Mar-30 08:43 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
First of all..> It was not and I had to start a complete new setup. the ssd has died and i> did not have any backups, raid or stuff setup.This is bad for you but good for me in helping you ;-) Im go for that your able to do a new clean install. And on the question :> Now I am stuck with the problem, that wbinfo works but getent shows only> local users or groups. I hope a more up to date samba will resolve that.A possible solution is also in the setup below. ( check nsswitch.conf ) At least you can review your steps also. You can run this with the all debian default packages and/or with addition of my packages. So you can choose of 4.2.14 Debian stable packages. A 4.5.3 packages using my apt repo a 4.6.0/4.6.1 package as test package outside the repo. Setup and info ( http://apt.van-belle.nl and http://downloads.van-belle.nl/samba4 ) So a clean setup on jessie and you want a member server.. If you do exact as im showing here, you have a in one go working samba member on jessie. ! If you can start cleanly, thats the best. ! Pre steps, remove any old DNS record and remove the computer object from the AD. ( I use the RSAT tools for that ) Setup jessie: Choose expert install, and at taskselect choose only ssh server. ( optional and the standard package, but i setup really minimal ) # install WITH static ip from the start, ( best ) or install with dhcp ip and change /etc/hosts /etc/resolv.conf /etc/network/interfaces. Check all these. # FQDN hostname ?f # hostname hostname ?s # domainname hostname ?d # host IP hostname ?i if one isnt correct stop here, correct it, and reboot the server. Next, Install the needed packages. apt-get install samba smbclient samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-user ntp bind9-host libpam-krb5 #At the questions, fill in you DC ipnumbers at ntp # krb5-user fill in your REALM in CAPS. # keep all other defaults. stop samba en winbind systemctl stop samba systemctl stop winbind setup /etc/samba/smb.conf this is "my" minimal setup, well tested. You change the NTDOM DOM.TLD eth/ip etc to your setup. #### BEGIN SMB.CONF [global] workgroup = NTDOM security = ADS realm = NTDOM.DOM.TLD # MEMBER SERVER SETTING ONLY ( NMBD ) and ad dc does not start NMBD # Set master browser for the network. # preffered + domain master = guarantee master browser ( man smb.conf ) # !! MAKE SURE THERE ONLY ONE MASTER BROWSER !! #preferred master = yes #domain master = yes interfaces = ethX_or_ip_`hostname-i` 127.0.0.1 bind interfaces only = yes dns proxy = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes ## Make sure you match the DC backends also for best results. ## https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member # map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 # map ids from the domain the range may not overlap ! # https://wiki.samba.org/index.php/Idmap_config_ad #idmap config NTDOM: backend = ad #idmap config NTDOM: schema_mode = rfc2307 # Use home directory and shell information from AD #winbind nss info = rfc2307 # or # https://wiki.samba.org/index.php/Idmap_config_rid idmap config NTDOM: backend = rid idmap config NTDOM: range = 10000-3999999 # Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash # the one matches the user share below. template homedir = /home/samba/users/%U # show users/groups with : getent passwd # when set to no, use : getent passwd username winbind enum users = yes winbind enum groups = yes # enable offline logins winbind offline logon = yes # check depth of nested groups, ! slows down you samba, if to much groups depth # 4-5 is a good default winbind expand groups = 4 # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershare creating, when set empty, you dont get error log messages. usershare path # Disable printing completely, remove this # or setup to your needed if you need printing. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For Windows ACL support on member file server, # enabled globaly, OBLIGATED # For a mixed setup of rights, put this per share! vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs # You need only 2-4 lines per share if you go for windows ACL. # sample share setup. [profiles] browseable = yes path = /home/samba/profiles read only = no acl_xattr:ignore system acl = yes [users] browseable = yes path = /home/samba/users read only = no acl_xattr:ignore system acl = yes # This acl_xattr is optional, this one depends on you network setup, # you decide. [public] browseable = yes path = /home/samba/public read only = no #### END SMB.CONF Setup the user mapping file : /etc/samba/samba_usermapping !root = NTDOM\Administrator NTDOM\administrator # Change your /etc/nsswitch.conf cp /etc/nsswitch.conf{,.backup} sed -i 's]passwd: compat]passwd: compat winbind]g' /etc/nsswitch.conf sed -i 's]group: compat]group: compat winbind]g' /etc/nsswitch.conf now if you didnt change anything else, you should be ready.. ;-) , yes ready. kinit administrator ( should respond with administrator at REALM and login ) # join the domain. net ads join ?S hostname-DC.your.domain.tld ?k # setup the SePrivileges, yes all of these, because this is for the group ?DOMAIN ADMINS? # and Dom Admin are allowed everything. ( optional change NTDOM\Domain Admins, to BUILDIN\Administrators ) # both work good, i preffer like below. # change the 2 variables below to match your setup. YOUR_NTPASSWD=?YOUR_Administrator_PASSWD? SETNTDOM=?NTDOM? echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeTakeOwnershipPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeBackupPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRestorePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRemoteShutdownPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SePrintOperatorPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeAddUsersPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSecurityPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemtimePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeShutdownPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDebugPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemEnvironmentPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemProfilePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeProfileSingleProcessPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseBasePriorityPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeLoadDriverPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreatePagefilePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseQuotaPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeChangeNotifyPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeUndockPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeManageVolumePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeImpersonatePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreateGlobalPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeEnableDelegationPrivilege ?Uadministrator Setup pam configs for ssh krb5 and winbind: pam-auth-update reboot the server. Login on the server (ssh) check your logs syslog samba etc.,the login on a windows pc as ?DOMAIN\Administrator? connect to the server, and setup your shares security and folder security. See the samba wiki for the setup. # https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Give it a go and if you have questions, ask. Ps. For SSO with ssh, you need a small adjustment in sshd_config Set : GSSAPIAuthentication yes Greetz, Louis> -----Oorspronkelijk bericht-----> Van: osdc at mailbox.org [mailto:osdc at mailbox.org]> Verzonden: woensdag 29 maart 2017 20:17> Aan: L.P.H. van Belle via samba; L.P.H. van Belle> Onderwerp: Re: [Samba] Failed to enumerate objects in the container.> Access is denied.>> Hi colleagues,>> I am deeply impressed about the quick support onb this list. Thank you a> lot.>> > "L.P.H. van Belle via samba" <samba at lists.samba.org> hat am 29. März> 2017 um 16:19 geschrieben:> >> >> > I've commented inbetween the lines, but first do what Rowland already> told you.> >> > When done, read on, some other pointers.> >>> >> > > \\samba-fs\museum.rubens.world\mrtx> >> > Is this correct because based on your smb.conf i would expect. Typo?> >>> yes, that was some share i tested with before.>>> > >> >> > > the domain controllers run Samba 4.2.14-Debian.> >> > If you want you can safely upgrade your DC?s with my 4.5.3 packages.>> Usually I prefer the standard debian packages for not breaking their> security concept. But that old samba may cause some of the trouble I would> like to avoid. So your offer sounds great, are they debs? Where do I find> them?>>> >> > Add the second DC also.>> okay>> >> >> > Are you setting up with POSIX ACL or Windows ACL?> >> > If windows ACl, remove admin users = "@RUBENS\Domain Admins">> Yes, Windows ACL>>> >> > If the server isnt in production yet.>> It was not and I had to start a complete new setup. the ssd has died and i> did not have any backups, raid or stuff setup.>> Now I am stuck with the problem, that wbinfo works but getent shows only> local users or groups. I hope a more up to date samba will resolve that.>> Your help is appreciated.>> martin
Reasonably Related Threads
- Failed to enumerate objects in the container. Access is denied.
- Problem DNS samba_dnsupdate
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Samba 4 TSIG Error "NOTIMP"
- Authentication to Secondary Domain Controller initially fails when PDC is offline