cpierre at coreweave.com
2021-Sep-15 18:35 UTC
[Samba] Cannot set permissions from Windows: "Failed to Enumerate Objects in the Container. Access is denied."
Hi, I have a domain joined Samba fileserver, I'm attempting to grant permissions based on AD Objects. I'm able to access the share after chown on the mount path, however permissions cannot be adjusted from the Windows client. Nothing stands in the logs stand out at default logging level. smbstatus --version Version 4.11.6-Ubuntu Here is my /etc/samba/user.map: !root = ${DOMAINNAME}\Administrator ${DOMAINNAME}\administrator Administrator administrator /etc/samba/smb.conf: [global] workgroup = ${DOMAINNAME} security = ADS realm = ${DNSDOMAIN} dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Data %h winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config ${DOMAINNAME} : backend = rid idmap config ${DOMAINNAME} : range = 10000-999999 template shell = /bin/bash template homedir = /home/${DOMAINNAME}/%U domain master = no local master = no preferred master = no os level = 20 #map to guest = bad user host msdfs = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes acl_xattr:ignore system acls = yes # Share Setting Globally #unix extensions = no #reset on zero vc = yes #veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ #hide unreadable = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # Security #client ipc max protocol = SMB3 #client ipc min protocol = SMB2_10 #client max protocol = SMB3 #client min protocol = SMB2_10 #server max protocol = SMB3 #server min protocol = SMB2_10 # Time Machine #fruit:delete_empty_adfiles = yes #fruit:time machine = yes #fruit:veto_appledouble = no #fruit:wipe_intentionally_left_blank_rfork = yes [${VOLUME}] path = /share/samba/${VOLUME} read only = no #guest ok = no #veto files /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/ #delete veto files = yes
Rowland Penny
2021-Sep-15 19:01 UTC
[Samba] Cannot set permissions from Windows: "Failed to Enumerate Objects in the Container. Access is denied."
On Wed, 2021-09-15 at 14:35 -0400, cpierre--- via samba wrote:> Hi, > > > > I have a domain joined Samba fileserver, I'm attempting to grant > permissions > based on AD Objects. I'm able to access the share after chown on the > mountHow did you 'chown' the permissions ?> path, however permissions cannot be adjusted from the Windows client. > > > > Nothing stands in the logs stand out at default logging level. > > > > smbstatus --version > > Version 4.11.6-Ubuntu > > Here is my /etc/samba/user.map: > > !root = ${DOMAINNAME}\Administrator ${DOMAINNAME}\administrator > Administrator administrator >You do not need all that, just: !root = ${DOMAINNAME}\Administrator> > > /etc/samba/smb.conf: > > [global] > workgroup = ${DOMAINNAME} > security = ADS > realm = ${DNSDOMAIN} > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > server string = Data %h > > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > > ## map ids outside of domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config ${DOMAINNAME} : backend = rid > idmap config ${DOMAINNAME} : range = 10000-999999 > template shell = /bin/bash > template homedir = /home/${DOMAINNAME}/%U > > domain master = no > local master = no > preferred master = no > os level = 20 > #map to guest = bad user > host msdfs = no > > # user Administrator workaround, without it you are unable to set > privileges > username map = /etc/samba/user.map > > # For ACL support on domain member > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > acl_xattr:ignore system acls = yes > > # disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > [${VOLUME}] > path = /share/samba/${VOLUME} > read only = no >There doesn't seem to be anything wrong there, is apparmor getting in the way ? Have you read this: wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland