NN 708
2025-Apr-10 09:44 UTC
[Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL
Thanks for the information! I can confirm it works in a privileged container. However, I'm still curious?since both getfacl and setfacl work in a rootless container, what specific action requires root privileges? Related log: Allowed connection from *.*.*.* make_connection_snum: Connect path is '/tmp' for service [IPC$] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$ smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at source3/smbd/smb2_create.c:393 smbd_marshall_security_desc: sd_size = 20. smbd_marshall_security_desc: sd_size = 384. smbd_marshall_security_desc: sd_size = 20. smbd_marshall_security_desc: sd_size = 440. smbd_marshall_security_desc: sd_size = 20. smbd_marshall_security_desc: sd_size = 48. smbd_marshall_security_desc: sd_size = 20. smbd_marshall_security_desc: sd_size = 440. smbd_marshall_security_desc: sd_size = 20. smbd_marshall_security_desc: sd_size = 384. smbd_marshall_security_desc: sd_size = 20. smbd_marshall_security_desc: sd_size = 440. smbd_marshall_security_desc: sd_size = 20. smbd_marshall_security_desc: sd_size = 384. smbd_marshall_security_desc: sd_size = 76. smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at source3/smbd/smb2_setinfo.c:142 ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Luis Peromarta via samba <samba at lists.samba.org> Sent: Thursday, April 10, 2025 14:37 To: Samba List <samba at lists.samba.org> Subject: Re: [Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL Unsure about podman but with LXC, container must be privileged. On 10 Apr 2025 at 08:31 +0200, NN 708 via samba <samba at lists.samba.org>, wrote:> Hello, > > I am encountering an issue while attempting to configure a minimal Samba file server with Windows ACL support in a containerized environment. > > Environment: > Container runtime: Podman 5.4.0 > Base image: docker.io/library/debian:trixie-slim (Debian Trixie) > Samba version: 4.22.0 > > Configurations: > 1. Join the domain using: samba-tool domain join mydomain.com MEMBER -U Administrator > > 2. /etc/samba/smb.conf: > # Global parameters > [global] > realm = MYDOMAIN.COM > server role = member server > workgroup = MYDOMAIN > idmap config * : backend = autorid > idmap config * : rangesize = 10000 > idmap config * : range = 10000-59999 > vfs objects = acl_xattr > map acl inherit = yes > [users] > path = /share/users > read only = no > > 3. Tried both: > # chown root:"MYDOMAIN\Domain Admins" /share/users > # chown "MYDOMAIN\Administrator":"MYDOMAIN\Domain Admins" /share/users > > Despite successful file read/write operations, permission changes on Windows fail with the error: "Failed to Enumerate Objects in the Container. Access is denied." > > Any guidance would be greatly appreciated. > > Best regards, > NN708 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Luis Peromarta
2025-Apr-10 09:59 UTC
[Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL
I don?t think I can be of any more help as I am no container expert. On 10 Apr 2025 at 11:45 +0200, NN 708 <nn708 at outlook.com>, wrote:> Thanks for the information! I can confirm it works in a privileged container. > > However, I'm still curious?since both getfacl and setfacl work in a rootless container, what specific action requires root privileges? > > Related log: > Allowed connection from *.*.*.* > make_connection_snum: Connect path is '/tmp' for service [IPC$] > Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] > Initialising custom vfs hooks from [acl_xattr] > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$ > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at source3/smbd/smb2_create.c:393 > smbd_marshall_security_desc: sd_size = 20. > smbd_marshall_security_desc: sd_size = 384. > smbd_marshall_security_desc: sd_size = 20. > smbd_marshall_security_desc: sd_size = 440. > smbd_marshall_security_desc: sd_size = 20. > smbd_marshall_security_desc: sd_size = 48. > smbd_marshall_security_desc: sd_size = 20. > smbd_marshall_security_desc: sd_size = 440. > smbd_marshall_security_desc: sd_size = 20. > smbd_marshall_security_desc: sd_size = 384. > smbd_marshall_security_desc: sd_size = 20. > smbd_marshall_security_desc: sd_size = 440. > smbd_marshall_security_desc: sd_size = 20. > smbd_marshall_security_desc: sd_size = 384. > smbd_marshall_security_desc: sd_size = 76. > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at source3/smbd/smb2_setinfo.c:142 > From: samba <samba-bounces at lists.samba.org> on behalf of Luis Peromarta via samba <samba at lists.samba.org> > Sent: Thursday, April 10, 2025 14:37 > To: Samba List <samba at lists.samba.org> > Subject: Re: [Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL > > Unsure about podman but with LXC, container must be privileged. > > > On 10 Apr 2025 at 08:31 +0200, NN 708 via samba <samba at lists.samba.org>, wrote: > > Hello, > > > > I am encountering an issue while attempting to configure a minimal Samba file server with Windows ACL support in a containerized environment. > > > > Environment: > > Container runtime: Podman 5.4.0 > > Base image: docker.io/library/debian:trixie-slim (Debian Trixie) > > Samba version: 4.22.0 > > > > Configurations: > > 1. Join the domain using: samba-tool domain join mydomain.com MEMBER -U Administrator > > > > 2. /etc/samba/smb.conf: > > # Global parameters > > [global] > > realm = MYDOMAIN.COM > > server role = member server > > workgroup = MYDOMAIN > > idmap config * : backend = autorid > > idmap config * : rangesize = 10000 > > idmap config * : range = 10000-59999 > > vfs objects = acl_xattr > > map acl inherit = yes > > [users] > > path = /share/users > > read only = no > > > > 3. Tried both: > > # chown root:"MYDOMAIN\Domain Admins" /share/users > > # chown "MYDOMAIN\Administrator":"MYDOMAIN\Domain Admins" /share/users > > > > Despite successful file read/write operations, permission changes on Windows fail with the error: "Failed to Enumerate Objects in the Container. Access is denied." > > > > Any guidance would be greatly appreciated. > > > > Best regards, > > NN708 > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba