samba - Mar 2017 - Failed to enumerate objects in the container. Access is denied.

> Rowland Penny <rpenny at samba.org> hat am 30. März 2017 um 16:15
geschrieben:
> > 
> > May it be possible, that the getent-problem has something to do with
> > pam-auth-update? I never did that before.
> 
> Possibly
If so a hint in the Samba-Setup manual would be of help.
 
> > 
> > there are still two issues:
> > 
> > 1. The path /home/samba does not yet exist, so all the login-paths
> > lead to nowhere. Is it a problem to put the samba shares, except
> > profiles and users, to another path? I like to use /fs for shortness.
> 
> Where ever you put the share must exist, it will not be created for
> you.
> You could use '/fs', you will just need to change the 'path
=' in the
> share.
Yes, I only asked if there is something special about the paths proposed by the
setting in smb.conf. Some relation to security.
> > 
> > 2. The first share I have setup with RSAT as Domain Administrator
> > worked like expected. I could see the Users in the security tab and
> > change them. I could also change ownership succesfully. But after
> > saving it all the others did not work, i see "Failed to enumerate
> > objects in the container. Access is denied." again. When changing
> > settings for the first share, it was the same. So something happened
> > there and it is still not usable.
> 
> This sounds like a permissions problem, compare the permissions on the
> one that works with the others that don't.
I would have, but it works only once. After the first time changing the settings
it did not work a second time. Just once.
There are differences, though:

drwxrwx---+  2 RUBENS\gf root 4096 Mär 30 14:09 gf
drwxr-xr-x   2 root      root 4096 Mär 30 14:56 mrtx

The first share could be changed once, the second share could not. The changing
of the owner for /fs/gf worked well, but when I wanted to change it back I was
not allowed. Additionally I could not ever change /fs/mrtx. In the beginning
they have all been identical in smb.conf:

[gf]
    browseable = yes
    path = /fs/gf
    read only = no

[mrtx]
    browseable = yes
    path = /fs/mrtx
    read only = no

And I created the folders as root with
mkdir /fs/gf
mkdir /fs/mrtx

So there is no difference. I rebooted the server and windows 10, still failing
to enumerate objects in the container.

On Thu, 30 Mar 2017 16:25:46 +0200 (CEST)
osdc at mailbox.org wrote:
> 
> > Rowland Penny <rpenny at samba.org> hat am 30. März 2017 um
16:15
> > geschrieben:
> 
> > > 
> > > May it be possible, that the getent-problem has something to do
> > > with pam-auth-update? I never did that before.
> > 
> > Possibly
> 
> If so a hint in the Samba-Setup manual would be of help.
Problem is, the Samba wiki tries to be OS agnostic and
'pam-auth-update' is a Debian thing.
>  
> 
> Yes, I only asked if there is something special about the paths
> proposed by the setting in smb.conf. Some relation to security.
You can put a share anywhere you like, but it is up to you to secure it.
> 
> I would have, but it works only once. After the first time changing
> the settings it did not work a second time. Just once. There are
> differences, though:
> 
> drwxrwx---+  2 RUBENS\gf root 4096 Mär 30 14:09 gf
> drwxr-xr-x   2 root      root 4096 Mär 30 14:56 mrtx
> 
> The first share could be changed once, the second share could not.
> The changing of the owner for /fs/gf worked well, but when I wanted
> to change it back I was not allowed. Additionally I could not ever
> change /fs/mrtx. In the beginning they have all been identical in
> smb.conf:
> 
> [gf]
>     browseable = yes
>     path = /fs/gf
>     read only = no
> 
> [mrtx]
>     browseable = yes
>     path = /fs/mrtx
>     read only = no
> 
> And I created the folders as root with
> mkdir /fs/gf
> mkdir /fs/mrtx
> 
> So there is no difference. I rebooted the server and windows 10,
> still failing to enumerate objects in the container.
If you look here:

drwxrwx---+  2 RUBENS\gf root 4096 Mär 30 14:09 gf

There is a '+' sign after the permissions, this means that there are
ACLs set on the directory, try running 'getfacl /fs/gf'

Rowland

> Rowland Penny <rpenny at samba.org> hat am 30. März 2017 um 16:46
geschrieben:
> If you look here:
> 
> drwxrwx---+  2 RUBENS\gf root 4096 Mär 30 14:09 gf
> 
> There is a '+' sign after the permissions, this means that there
are
> ACLs set on the directory, try running 'getfacl /fs/gf'
Ok, first /fs/mrtx, then /fs/gf:

root at fs:~# getfacl /fs/mrtx
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: fs/mrtx
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

root at fs:~# getfacl /fs/gf
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: fs/gf
# owner: RUBENS\134gf
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:RUBENS\134gf:rwx
mask::rwx
other::---
default:user::rwx
default:user:RUBENS\134gf:rwx
default:group::r-x
default:group:root:r-x
default:group:RUBENS\134gf:rwx
default:mask::rwx
default:other::---

But still: I cannot change /fs/gf a second time.

And there is something wrong with getent - I have several AD-groups containing
users. For example 'gf' is the managers. 'rubens' is staff. But
when I do 'getent group' they are mixed up. The group 'rubens'
contains only the managers. The user mrtx should be a member of mrtx-group, but
is not. The staff does not appear in any group.

What could have gone wrong here?