Carlos
2018-Jan-15 20:49 UTC
[Samba] Failed to enumerate objects in the container. Access is denied
HI! I have one fileserve, has ok but now when change permission(oyher user not Administrator) with RSAT show me message: "Failed to enumerate objects in the container. Access is denied" Samba Version (Compilated) 4.7.3 Ubuntu 16.04 # smb.conf [global] workgroup = XXXXX realm = INTERNO.XXXXX.XXX.BR security = ADS username map = /usr/local/samba/etc/user.map dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind cache time = 60 winbind max clients = 600 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind nss info = template template shell = /bin/bash idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config XXXXX : backend = rid idmap config XXXXX : range = 10000-999999 # Necessario para Fileserver vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # # Disable Cups load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # Lixeira + Auditoria vfs objects = recycle,full_audit recycle:keeptree = yes recycle:versions = yes recycle:repository = /opt/DADOS/Lixeira/%U recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso, *.exe recycle:exclude_dir = tmp recycle:touch = yes recycle:touch_mtime = yes full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice full_audit:prefix = %u|%I|%S full_audit:success = rename rmdir unlink # include include = /opt/samba/etc/compartilhamento.conf # compartilhamento.conf [TEC] path= /opt/DADOS/TEC/ read only = no # user.map !root = XXXXX\Administrator --------------------------------------------------------- Before today i change permission with any user in group "Admins Domain", but today only Administrator(= root) ir work, any user receive message the error. Any Idea ? Regars;
Rowland Penny
2018-Jan-15 21:24 UTC
[Samba] Failed to enumerate objects in the container. Access is denied
On Mon, 15 Jan 2018 18:49:18 -0200 Carlos via samba <samba at lists.samba.org> wrote:> HI! > > I have one fileserve, has ok but now when change permission(oyher > user not Administrator) with RSAT show me message: > > "Failed to enumerate objects in the container. Access is denied"Fairly obvious, the user doesn't have the required permissions> > > Samba Version (Compilated) > > 4.7.3 > > > Ubuntu 16.04 > > > # smb.conf > > [global] > workgroup = XXXXX > realm = INTERNO.XXXXX.XXX.BR > security = ADS > username map = /usr/local/samba/etc/user.map > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind cache time = 60 > > winbind max clients = 600 > winbind enum users = Yes > winbind enum groups = YesNothing to do with your problem, but you do not need the two lines above.> winbind use default domain = Yes > winbind nss info = rfc2307The line above is only required when using the winbind 'ad' backend and only then when using Samba < 4.6.0> winbind refresh tickets = Yes > winbind nss info = template > template shell = /bin/bash > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > idmap config * : range = 3000-7999Why are the lines above duplicated ?> idmap config XXXXX : backend = rid > idmap config XXXXX : range = 10000-999999 > > # Necessario para Fileserver > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > # > # Disable Cups > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # Lixeira + Auditoria > vfs objects = recycle,full_auditCongratulations, you have just turned off the acl_xattr vfs object.> recycle:keeptree = yes > recycle:versions = yes > recycle:repository = /opt/DADOS/Lixeira/%U > recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso, > *.exe recycle:exclude_dir = tmp > recycle:touch = yes > recycle:touch_mtime = yes > full_audit:failure = none > full_audit:facility = local5 > full_audit:priority = notice > full_audit:prefix = %u|%I|%S > full_audit:success = rename rmdir unlink > > # include > include = /opt/samba/etc/compartilhamento.conf > > # compartilhamento.conf > > [TEC] > path= /opt/DADOS/TEC/ > read only = no > > # user.map > > !root = XXXXX\Administrator > > > --------------------------------------------------------- > > Before today i change permission with any user in group "Admins > Domain", but today only Administrator(= root) ir work, any user > receive message the error. > > > Any Idea ?If it worked previously, but doesn't now, something must have changed, have you updated the DC or the windows client ? Rowland
Carlos
2018-Jan-15 21:36 UTC
[Samba] Failed to enumerate objects in the container. Access is denied
On 15-01-2018 19:24, Rowland Penny via samba wrote:> On Mon, 15 Jan 2018 18:49:18 -0200 > Carlos via samba <samba at lists.samba.org> wrote: > >> HI! >> >> I have one fileserve, has ok but now when change permission(oyher >> user not Administrator) with RSAT show me message: >> >> "Failed to enumerate objects in the container. Access is denied" > Fairly obvious, the user doesn't have the required permissions:-D>> >> Samba Version (Compilated) >> >> 4.7.3 >> >> >> Ubuntu 16.04 >> >> >> # smb.conf >> >> [global] >> workgroup = XXXXX >> realm = INTERNO.XXXXX.XXX.BR >> security = ADS >> username map = /usr/local/samba/etc/user.map >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind cache time = 60 >> >> winbind max clients = 600 >> winbind enum users = Yes >> winbind enum groups = Yes > > Nothing to do with your problem, but you do not need the two lines > above.OK.>> winbind use default domain = Yes >> winbind nss info = rfc2307 > The line above is only required when using the winbind 'ad' backend and > only then when using Samba < 4.6.0 > >> winbind refresh tickets = Yes >> winbind nss info = template >> template shell = /bin/bash >> >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 > Why are the lines above duplicated ?No, i duplicated when copy.>> idmap config XXXXX : backend = rid >> idmap config XXXXX : range = 10000-999999 >> >> # Necessario para Fileserver >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> # >> # Disable Cups >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> # Lixeira + Auditoria >> vfs objects = recycle,full_audit > Congratulations, you have just turned off the acl_xattr vfs object.I dont understand....> >> recycle:keeptree = yes >> recycle:versions = yes >> recycle:repository = /opt/DADOS/Lixeira/%U >> recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso, >> *.exe recycle:exclude_dir = tmp >> recycle:touch = yes >> recycle:touch_mtime = yes >> full_audit:failure = none >> full_audit:facility = local5 >> full_audit:priority = notice >> full_audit:prefix = %u|%I|%S >> full_audit:success = rename rmdir unlink >> >> # include >> include = /opt/samba/etc/compartilhamento.conf >> >> # compartilhamento.conf >> >> [TEC] >> path= /opt/DADOS/TEC/ >> read only = no >> >> # user.map >> >> !root = XXXXX\Administrator >> >> >> --------------------------------------------------------- >> >> Before today i change permission with any user in group "Admins >> Domain", but today only Administrator(= root) ir work, any user >> receive message the error. >> >> >> Any Idea ? > If it worked previously, but doesn't now, something must have changed, > have you updated the DC or the windows client ? > > RowlandIn fileserver dont change, but on DC103(i Have 3 Dcs) , but i make process (https://lists.samba.org/archive/samba/2018-January/213262.html) But i back idmap.ldb original..... /1) on your first DC (that one that has PDC FSMO, and is the source for />/rsync) create backup of idmap.ldb />//>/tdbbackup -s .bak /path/to/samba/private/idmap.ldb />//>/it will create idmap.ldb.bak />//>/2) stop samba service on second DC />//>/3) copy idmap.ldb.bak from first dc to second dc, lose the .bak suffix />/and just copy it over idmap.ldb on second dc />//>/4) start samba on second dc /> > >