samba - Mar 2017 - Failed to enumerate objects in the container. Access is denied.

> Rowland Penny <rpenny at samba.org> hat am 30. März 2017 um 16:46
geschrieben:
> If you look here:
> 
> drwxrwx---+  2 RUBENS\gf root 4096 Mär 30 14:09 gf
> 
> There is a '+' sign after the permissions, this means that there
are
> ACLs set on the directory, try running 'getfacl /fs/gf'
Ok, first /fs/mrtx, then /fs/gf:

root at fs:~# getfacl /fs/mrtx
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: fs/mrtx
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

root at fs:~# getfacl /fs/gf
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: fs/gf
# owner: RUBENS\134gf
# group: root
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:RUBENS\134gf:rwx
mask::rwx
other::---
default:user::rwx
default:user:RUBENS\134gf:rwx
default:group::r-x
default:group:root:r-x
default:group:RUBENS\134gf:rwx
default:mask::rwx
default:other::---

But still: I cannot change /fs/gf a second time.

And there is something wrong with getent - I have several AD-groups containing
users. For example 'gf' is the managers. 'rubens' is staff. But
when I do 'getent group' they are mixed up. The group 'rubens'
contains only the managers. The user mrtx should be a member of mrtx-group, but
is not. The staff does not appear in any group.

What could have gone wrong here?

On Thu, 30 Mar 2017 17:01:53 +0200 (CEST)
martin via samba <samba at lists.samba.org> wrote:
> > Rowland Penny <rpenny at samba.org> hat am 30. März 2017 um
16:46
> > geschrieben:
> 
> > If you look here:
> > 
> > drwxrwx---+  2 RUBENS\gf root 4096 Mär 30 14:09 gf
> > 
> > There is a '+' sign after the permissions, this means that
there are
> > ACLs set on the directory, try running 'getfacl /fs/gf'
> 
> Ok, first /fs/mrtx, then /fs/gf:
> 
> root at fs:~# getfacl /fs/mrtx
> getfacl: Entferne führende '/' von absoluten Pfadnamen
> # file: fs/mrtx
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
This shows that the owner is 'root' and the group is 'root', the
only
user or group that has write permissions is the owner 'root'
> 
> root at fs:~# getfacl /fs/gf
> getfacl: Entferne führende '/' von absoluten Pfadnamen
> # file: fs/gf
> # owner: RUBENS\134gf
> # group: root
> user::rwx
> user:root:rwx
> group::r-x
> group:root:r-x
> group:RUBENS\134gf:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:RUBENS\134gf:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:RUBENS\134gf:rwx
> default:mask::rwx
> default:other::---
> 
This shows that the owner is 'gf' and the group is 'root', 
'gf' and
'root' both have write permissions.
> But still: I cannot change /fs/gf a second time.
OK, try this, change the ownership of both dirs to root:Domain Admins

Then go and follow this wikipage:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

> Rowland Penny <rpenny at samba.org> hat am 30. März 2017 um 17:40
geschrieben:
 
> OK, try this, change the ownership of both dirs to root:Domain Admins
> 
> Then go and follow this wikipage:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Ok, just did that. i have been always trying to follow this manual, to the point
"Select the security Tab". This worked exactly once, only the first
time, after new setup. The second time I just see a window telling me i was not
allowed to change anything. And when I try to save it, I get the well known
error message. Or it sometimes does not complain but simply does not remember
anything.

I guess there must be something not up to date beingaccessed on the AD's.
What I do in RSAT does not seem to have any influence after the first time. And
these strange artifacts in getent like 134 or 040 (by the way after doing
chown -R root:"RUBENS\domain admins" /fs/gf/  )

root at fs:~# getfacl /fs/gf/
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: fs/gf/
# owner: root
# group: RUBENS\134domain\040admins
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:RUBENS\134gf:rwx
mask::rwx
other::---
default:user::rwx
default:user:RUBENS\134gf:rwx
default:group::r-x
default:group:root:r-x
default:group:RUBENS\134gf:rwx
default:mask::rwx
default:other::---

---

I have no clue how to go on, looks like a dead end to me.

I appreciate your patience very much.

martin

Hai, 

I see Rowland helped a bit already and good things going here.. 
For you setup, this is how i do my setup. 

First your data path

/fs/gf
/fs/othere_path.. 

I normaly start with : 
chmod 2775 /fs
chown root:"Domain Admins" 
( optional share \\server\fs$ ) 

chmod 2775 /fs/gf 
chown root:"Domain Admins"
( or chmod -R ...  but i dont know if you already did setup more ) 
( share \\server\gf )

Connect from within windows to the share and setup the following. 

Start with the SHARE SECURITY. 
Setup the Share rights with Or authenticated users or Everyone with "Full
Contol".  *( or set both )

And no, this is not insecure, the folder rights protect the write access for
everyone and authenticated users.  You always need at least one of these if you
do more that a data only share.  ( like software deploying, etc )

Next security tab, 

Creator Owner  (special rights)(optional, use creator group is preffered ) 
But as base you need to have minimal. 

Group Owner  (special rights)
Domain Admins (Full control)
YOUR_SPECIAL_GROUP (change) 

Optional depending on needs like GPO things also, software deploy, then these 2
are a must

SYSTEM (full controll)
Verified users ( read ) 

Now In case of  /fs/gf 
After you have set above, dont use chmod any more. 
Do this from withing windows.

And optional you can setup with. 
acl_xattr:ignore system acl = yes 
but think before you set that one, if you set, apply/check all of the above 
again.

Now last. 
On the security tab, klik advanced. 
In above setup, the owner should be root. That is correct keep it.

Klik on change permissions. 
( optional ) Remove the checkmark from "Include inheritable permissions
from this objects perent"
And set the other one. (Obligated)
Apply.

Im assuming you kept the default "primary group" in the AD, for the
users.
So it should be "domain users" . 

The setup works as followed. 

Share rights, allows everyone ( and or authenticated users)  to connect and
write over the share.

Security rights, allows only that what is set to write, 
This is mixed with  the share right. 
And blockes the everyone/authentiacted from the share, exept the

The "Special" right sets the needed group to allow writes/overwrites
in that folder.

This is a bit how i setup. 
Try it and let us know if its working.


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens martin via
samba
> Verzonden: donderdag 30 maart 2017 18:11
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to enumerate objects in the container.
> Access is denied.
> 
> > Rowland Penny <rpenny at samba.org> hat am 30. März 2017 um
17:40
> geschrieben:
> 
> > OK, try this, change the ownership of both dirs to root:Domain Admins
> >
> > Then go and follow this wikipage:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> Ok, just did that. i have been always trying to follow this manual, to the
> point "Select the security Tab". This worked exactly once, only
the first
> time, after new setup. The second time I just see a window telling me i
> was not allowed to change anything. And when I try to save it, I get the
> well known error message. Or it sometimes does not complain but simply
> does not remember anything.
> 
> I guess there must be something not up to date beingaccessed on the
AD's.
> What I do in RSAT does not seem to have any influence after the first
> time. And these strange artifacts in getent like 134 or 040 (by the way
> after doing
> chown -R root:"RUBENS\domain admins" /fs/gf/  )
> 
> root at fs:~# getfacl /fs/gf/
> getfacl: Entferne führende '/' von absoluten Pfadnamen
> # file: fs/gf/
> # owner: root
> # group: RUBENS\134domain\040admins
> user::rwx
> user:root:rwx
> group::r-x
> group:root:r-x
> group:RUBENS\134gf:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:RUBENS\134gf:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:RUBENS\134gf:rwx
> default:mask::rwx
> default:other::---
> 
> ---
> 
> I have no clue how to go on, looks like a dead end to me.
> 
> I appreciate your patience very much.
> 
> martin
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba