samba - Jan 2018 - Failed to enumerate objects in the container. Access is denied

HI!

I have one fileserve, has ok but now when change permission(oyher user 
not Administrator) with RSAT show me message:

"Failed to enumerate objects in the container. Access is denied"


Samba Version (Compilated)

4.7.3


Ubuntu 16.04


# smb.conf

[global]
         workgroup = XXXXX
         realm = INTERNO.XXXXX.XXX.BR
         security = ADS
         username map = /usr/local/samba/etc/user.map

         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         winbind cache time = 60

         winbind max clients = 600
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind nss info = template
         template shell = /bin/bash

         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config XXXXX : backend = rid
         idmap config XXXXX : range = 10000-999999

         # Necessario para Fileserver
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

#
         # Disable Cups
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         # Lixeira + Auditoria
         vfs objects = recycle,full_audit
         recycle:keeptree = yes
         recycle:versions = yes
         recycle:repository = /opt/DADOS/Lixeira/%U
         recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso, *.exe
         recycle:exclude_dir = tmp
         recycle:touch = yes
         recycle:touch_mtime = yes
         full_audit:failure = none
         full_audit:facility = local5
         full_audit:priority = notice
         full_audit:prefix = %u|%I|%S
         full_audit:success = rename rmdir unlink

# include
include = /opt/samba/etc/compartilhamento.conf

# compartilhamento.conf

[TEC]
         path= /opt/DADOS/TEC/
         read only = no

# user.map

!root = XXXXX\Administrator


---------------------------------------------------------

Before today i change permission with any user in group "Admins
Domain",
but today only Administrator(= root) ir work, any user receive message 
the error.


Any Idea ?


Regars;

On Mon, 15 Jan 2018 18:49:18 -0200
Carlos via samba <samba at lists.samba.org> wrote:
> HI!
> 
> I have one fileserve, has ok but now when change permission(oyher
> user not Administrator) with RSAT show me message:
> 
> "Failed to enumerate objects in the container. Access is denied"
Fairly obvious, the user doesn't have the required permissions
> 
> 
> Samba Version (Compilated)
> 
> 4.7.3
> 
> 
> Ubuntu 16.04
> 
> 
> # smb.conf
> 
> [global]
>          workgroup = XXXXX
>          realm = INTERNO.XXXXX.XXX.BR
>          security = ADS
>          username map = /usr/local/samba/etc/user.map
> 
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>          winbind cache time = 60
> 
>          winbind max clients = 600
>          winbind enum users = Yes
>          winbind enum groups = Yes

Nothing to do with your problem, but you do not need the two lines
above.
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
The line above is only required when using the winbind 'ad' backend and
only then when using Samba < 4.6.0
>          winbind refresh tickets = Yes
>          winbind nss info = template
>          template shell = /bin/bash
> 
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
Why are the lines above duplicated ?
>          idmap config XXXXX : backend = rid
>          idmap config XXXXX : range = 10000-999999
> 
>          # Necessario para Fileserver
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = Yes
> 
> #
>          # Disable Cups
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
>          # Lixeira + Auditoria
>          vfs objects = recycle,full_audit
Congratulations, you have just turned off the acl_xattr vfs object.
 
>          recycle:keeptree = yes
>          recycle:versions = yes
>          recycle:repository = /opt/DADOS/Lixeira/%U
>          recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso,
> *.exe recycle:exclude_dir = tmp
>          recycle:touch = yes
>          recycle:touch_mtime = yes
>          full_audit:failure = none
>          full_audit:facility = local5
>          full_audit:priority = notice
>          full_audit:prefix = %u|%I|%S
>          full_audit:success = rename rmdir unlink
> 
> # include
> include = /opt/samba/etc/compartilhamento.conf
> 
> # compartilhamento.conf
> 
> [TEC]
>          path= /opt/DADOS/TEC/
>          read only = no
> 
> # user.map
> 
> !root = XXXXX\Administrator
> 
> 
> ---------------------------------------------------------
> 
> Before today i change permission with any user in group "Admins
> Domain", but today only Administrator(= root) ir work, any user
> receive message the error.
> 
> 
> Any Idea ?
If it worked previously, but doesn't now, something must have changed,
have you updated the DC or the windows client ?

Rowland

On 15-01-2018 19:24, Rowland Penny via samba wrote:
> On Mon, 15 Jan 2018 18:49:18 -0200
> Carlos via samba <samba at lists.samba.org> wrote:
>
>> HI!
>>
>> I have one fileserve, has ok but now when change permission(oyher
>> user not Administrator) with RSAT show me message:
>>
>> "Failed to enumerate objects in the container. Access is
denied"
> Fairly obvious, the user doesn't have the required permissions
:-D
>>
>> Samba Version (Compilated)
>>
>> 4.7.3
>>
>>
>> Ubuntu 16.04
>>
>>
>> # smb.conf
>>
>> [global]
>>           workgroup = XXXXX
>>           realm = INTERNO.XXXXX.XXX.BR
>>           security = ADS
>>           username map = /usr/local/samba/etc/user.map
>>
>>           dedicated keytab file = /etc/krb5.keytab
>>           kerberos method = secrets and keytab
>>           winbind cache time = 60
>>
>>           winbind max clients = 600
>>           winbind enum users = Yes
>>           winbind enum groups = Yes
>
> Nothing to do with your problem, but you do not need the two lines
> above.
OK.
>>           winbind use default domain = Yes
>>           winbind nss info = rfc2307
> The line above is only required when using the winbind 'ad' backend
and
> only then when using Samba < 4.6.0
>
>>           winbind refresh tickets = Yes
>>           winbind nss info = template
>>           template shell = /bin/bash
>>
>>           idmap config * : backend = tdb
>>           idmap config * : range = 3000-7999
>>           idmap config * : backend = tdb
>>           idmap config * : range = 3000-7999
> Why are the lines above duplicated ?
No, i duplicated when copy.
>>           idmap config XXXXX : backend = rid
>>           idmap config XXXXX : range = 10000-999999
>>
>>           # Necessario para Fileserver
>>           vfs objects = acl_xattr
>>           map acl inherit = Yes
>>           store dos attributes = Yes
>>
>> #
>>           # Disable Cups
>>           load printers = no
>>           printing = bsd
>>           printcap name = /dev/null
>>           disable spoolss = yes
>>
>>           # Lixeira + Auditoria
>>           vfs objects = recycle,full_audit
> Congratulations, you have just turned off the acl_xattr vfs object.
I dont understand....
>   
>>           recycle:keeptree = yes
>>           recycle:versions = yes
>>           recycle:repository = /opt/DADOS/Lixeira/%U
>>           recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso,
>> *.exe recycle:exclude_dir = tmp
>>           recycle:touch = yes
>>           recycle:touch_mtime = yes
>>           full_audit:failure = none
>>           full_audit:facility = local5
>>           full_audit:priority = notice
>>           full_audit:prefix = %u|%I|%S
>>           full_audit:success = rename rmdir unlink
>>
>> # include
>> include = /opt/samba/etc/compartilhamento.conf
>>
>> # compartilhamento.conf
>>
>> [TEC]
>>           path= /opt/DADOS/TEC/
>>           read only = no
>>
>> # user.map
>>
>> !root = XXXXX\Administrator
>>
>>
>> ---------------------------------------------------------
>>
>> Before today i change permission with any user in group "Admins
>> Domain", but today only Administrator(= root) ir work, any user
>> receive message the error.
>>
>>
>> Any Idea ?
> If it worked previously, but doesn't now, something must have changed,
> have you updated the DC or the windows client ?
>
> Rowland
In fileserver dont change, but on DC103(i Have 3 Dcs) , but i make process
(https://lists.samba.org/archive/samba/2018-January/213262.html)

But i back idmap.ldb original.....

/1) on your first DC (that one that has PDC FSMO, and is the source for
/>/rsync) create backup of idmap.ldb />//>/tdbbackup -s .bak
/path/to/samba/private/idmap.ldb />//>/it will create idmap.ldb.bak
/>//>/2) stop samba service on second DC />//>/3) copy idmap.ldb.bak
from first dc to second dc, lose the .bak suffix />/and just copy it over
idmap.ldb on second dc />//>/4) start samba on second dc /
>   
>
>