L.P.H. van Belle
2017-Mar-30 08:43 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
First of all..> It was not and I had to start a complete new setup. the ssd has died and i> did not have any backups, raid or stuff setup.This is bad for you but good for me in helping you ;-) Im go for that your able to do a new clean install. And on the question :> Now I am stuck with the problem, that wbinfo works but getent shows only> local users or groups. I hope a more up to date samba will resolve that.A possible solution is also in the setup below. ( check nsswitch.conf ) At least you can review your steps also. You can run this with the all debian default packages and/or with addition of my packages. So you can choose of 4.2.14 Debian stable packages. A 4.5.3 packages using my apt repo a 4.6.0/4.6.1 package as test package outside the repo. Setup and info ( http://apt.van-belle.nl and http://downloads.van-belle.nl/samba4 ) So a clean setup on jessie and you want a member server.. If you do exact as im showing here, you have a in one go working samba member on jessie. ! If you can start cleanly, thats the best. ! Pre steps, remove any old DNS record and remove the computer object from the AD. ( I use the RSAT tools for that ) Setup jessie: Choose expert install, and at taskselect choose only ssh server. ( optional and the standard package, but i setup really minimal ) # install WITH static ip from the start, ( best ) or install with dhcp ip and change /etc/hosts /etc/resolv.conf /etc/network/interfaces. Check all these. # FQDN hostname ?f # hostname hostname ?s # domainname hostname ?d # host IP hostname ?i if one isnt correct stop here, correct it, and reboot the server. Next, Install the needed packages. apt-get install samba smbclient samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-user ntp bind9-host libpam-krb5 #At the questions, fill in you DC ipnumbers at ntp # krb5-user fill in your REALM in CAPS. # keep all other defaults. stop samba en winbind systemctl stop samba systemctl stop winbind setup /etc/samba/smb.conf this is "my" minimal setup, well tested. You change the NTDOM DOM.TLD eth/ip etc to your setup. #### BEGIN SMB.CONF [global] workgroup = NTDOM security = ADS realm = NTDOM.DOM.TLD # MEMBER SERVER SETTING ONLY ( NMBD ) and ad dc does not start NMBD # Set master browser for the network. # preffered + domain master = guarantee master browser ( man smb.conf ) # !! MAKE SURE THERE ONLY ONE MASTER BROWSER !! #preferred master = yes #domain master = yes interfaces = ethX_or_ip_`hostname-i` 127.0.0.1 bind interfaces only = yes dns proxy = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes ## Make sure you match the DC backends also for best results. ## https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member # map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 # map ids from the domain the range may not overlap ! # https://wiki.samba.org/index.php/Idmap_config_ad #idmap config NTDOM: backend = ad #idmap config NTDOM: schema_mode = rfc2307 # Use home directory and shell information from AD #winbind nss info = rfc2307 # or # https://wiki.samba.org/index.php/Idmap_config_rid idmap config NTDOM: backend = rid idmap config NTDOM: range = 10000-3999999 # Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash # the one matches the user share below. template homedir = /home/samba/users/%U # show users/groups with : getent passwd # when set to no, use : getent passwd username winbind enum users = yes winbind enum groups = yes # enable offline logins winbind offline logon = yes # check depth of nested groups, ! slows down you samba, if to much groups depth # 4-5 is a good default winbind expand groups = 4 # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershare creating, when set empty, you dont get error log messages. usershare path # Disable printing completely, remove this # or setup to your needed if you need printing. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For Windows ACL support on member file server, # enabled globaly, OBLIGATED # For a mixed setup of rights, put this per share! vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs # You need only 2-4 lines per share if you go for windows ACL. # sample share setup. [profiles] browseable = yes path = /home/samba/profiles read only = no acl_xattr:ignore system acl = yes [users] browseable = yes path = /home/samba/users read only = no acl_xattr:ignore system acl = yes # This acl_xattr is optional, this one depends on you network setup, # you decide. [public] browseable = yes path = /home/samba/public read only = no #### END SMB.CONF Setup the user mapping file : /etc/samba/samba_usermapping !root = NTDOM\Administrator NTDOM\administrator # Change your /etc/nsswitch.conf cp /etc/nsswitch.conf{,.backup} sed -i 's]passwd: compat]passwd: compat winbind]g' /etc/nsswitch.conf sed -i 's]group: compat]group: compat winbind]g' /etc/nsswitch.conf now if you didnt change anything else, you should be ready.. ;-) , yes ready. kinit administrator ( should respond with administrator at REALM and login ) # join the domain. net ads join ?S hostname-DC.your.domain.tld ?k # setup the SePrivileges, yes all of these, because this is for the group ?DOMAIN ADMINS? # and Dom Admin are allowed everything. ( optional change NTDOM\Domain Admins, to BUILDIN\Administrators ) # both work good, i preffer like below. # change the 2 variables below to match your setup. YOUR_NTPASSWD=?YOUR_Administrator_PASSWD? SETNTDOM=?NTDOM? echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeTakeOwnershipPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeBackupPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRestorePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRemoteShutdownPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SePrintOperatorPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeAddUsersPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSecurityPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemtimePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeShutdownPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDebugPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemEnvironmentPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemProfilePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeProfileSingleProcessPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseBasePriorityPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeLoadDriverPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreatePagefilePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseQuotaPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeChangeNotifyPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeUndockPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeManageVolumePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeImpersonatePrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreateGlobalPrivilege -UAdministrator echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeEnableDelegationPrivilege ?Uadministrator Setup pam configs for ssh krb5 and winbind: pam-auth-update reboot the server. Login on the server (ssh) check your logs syslog samba etc.,the login on a windows pc as ?DOMAIN\Administrator? connect to the server, and setup your shares security and folder security. See the samba wiki for the setup. # https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Give it a go and if you have questions, ask. Ps. For SSO with ssh, you need a small adjustment in sshd_config Set : GSSAPIAuthentication yes Greetz, Louis> -----Oorspronkelijk bericht-----> Van: osdc at mailbox.org [mailto:osdc at mailbox.org]> Verzonden: woensdag 29 maart 2017 20:17> Aan: L.P.H. van Belle via samba; L.P.H. van Belle> Onderwerp: Re: [Samba] Failed to enumerate objects in the container.> Access is denied.>> Hi colleagues,>> I am deeply impressed about the quick support onb this list. Thank you a> lot.>> > "L.P.H. van Belle via samba" <samba at lists.samba.org> hat am 29. März> 2017 um 16:19 geschrieben:> >> >> > I've commented inbetween the lines, but first do what Rowland already> told you.> >> > When done, read on, some other pointers.> >>> >> > > \\samba-fs\museum.rubens.world\mrtx> >> > Is this correct because based on your smb.conf i would expect. Typo?> >>> yes, that was some share i tested with before.>>> > >> >> > > the domain controllers run Samba 4.2.14-Debian.> >> > If you want you can safely upgrade your DC?s with my 4.5.3 packages.>> Usually I prefer the standard debian packages for not breaking their> security concept. But that old samba may cause some of the trouble I would> like to avoid. So your offer sounds great, are they debs? Where do I find> them?>>> >> > Add the second DC also.>> okay>> >> >> > Are you setting up with POSIX ACL or Windows ACL?> >> > If windows ACl, remove admin users = "@RUBENS\Domain Admins">> Yes, Windows ACL>>> >> > If the server isnt in production yet.>> It was not and I had to start a complete new setup. the ssd has died and i> did not have any backups, raid or stuff setup.>> Now I am stuck with the problem, that wbinfo works but getent shows only> local users or groups. I hope a more up to date samba will resolve that.>> Your help is appreciated.>> martin
osdc at mailbox.org
2017-Mar-30 08:59 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
> "L.P.H. van Belle via samba" <samba at lists.samba.org> hat am 30. März 2017 um 10:43 geschrieben:> This is bad for you but good for me in helping you ;-) > > Im go for that your able to do a new clean install.great, i will give it a try! martin
osdc at mailbox.org
2017-Mar-30 13:52 UTC
[Samba] Failed to enumerate objects in the container. Access is denied.
> > great, i will give it a try!Hi Louis, this worked quite well. I used the native Debian Version 4.2.14. May it be possible, that the getent-problem has something to do with pam-auth-update? I never did that before. there are still two issues: 1. The path /home/samba does not yet exist, so all the login-paths lead to nowhere. Is it a problem to put the samba shares, except profiles and users, to another path? I like to use /fs for shortness. 2. The first share I have setup with RSAT as Domain Administrator worked like expected. I could see the Users in the security tab and change them. I could also change ownership succesfully. But after saving it all the others did not work, i see "Failed to enumerate objects in the container. Access is denied." again. When changing settings for the first share, it was the same. So something happened there and it is still not usable. Any ideas? Where could I look? Would 4.5 help? If so, is the update troubleless? Should I do it for the dc's as well? Best regards martin