[Samba] Failed to enumerate objects in the container. Access is denied.
osdc at mailbox.org
osdc at mailbox.org
Wed Mar 29 12:24:50 UTC 2017
Dear colleagues and samba-experts,
I installed a samba-file-server as a samba domain-member using debian jessie-packages, following the samba-manual "Setting up Samba as a Domain Member".
I can access the shares and create files but there are issues concerning security.
As proposed I am using RSAT (on a german Windows 10 Pro, logged in as Domain Administrator) to set details concerning the shares.
When for example I want to remove "everyone" from accessing a share and try to save it, I receive the following message:
---
german:
Fehler beim Anwenden der Sicherheit
Fehler beim Anwenden von Sicherheitsinformationen auf:
\\samba-fs\museum.rubens.world\mrtx
Fehler beim Aufzählen der Objekte im Container. Zugriff verweigert.
english:
Error applying security
An error occurred while applying security information to:
\\samba-fs\museum.rubens.world\mrtx
Failed to enumerate objects in the container. Access is denied.
---
The same messages occur, if I try to change anything else. For example taking ownership is not possible.
Furthermore, I need to set user/group via chown to see the owner. If I do not, the owner can not be shown.
Sometimes I receive another error message from windows security:
'Die Berechtigungsinformationen für "xyz (\\samba-fs.museum.rubens.world)" wurden nicht gespeichert.
Zugriff verweigert'
I could not find the english original version of that error message. It may be: 'Security for "..." could not be applied. Access denied'
There is another error message I receive but I guess it does not have to do with it - when joining the domain I receive these error messages:
---
root at samba-fs:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- RUBENS
Joined 'SAMBA-FS' to dns domain 'museum.rubens.world'
DNS Update for samba-fs.museum.rubens.world failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
---
I followed the guides "Troubleshooting Samba Domain Members" and "Testing Dynamic DNS Updates"
On both dc's I get the following:
---
root at dc2:~# samba_dnsupdate --verbose --all-names
IPs: ['192.168.0.242']
Calling nsupdate for A dc2.museum.rubens.world 192.168.0.242 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc2.museum.rubens.world. 900 IN A 192.168.0.242
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for A museum.rubens.world 192.168.0.242 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
museum.rubens.world. 900 IN A 192.168.0.242
[...]
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.museum.rubens.world dc2.museum.rubens.world 389 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.museum.rubens.world. 900 IN SRV 0 100 389 dc2.museum.rubens.world.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 26 entries
---
This seems to be a harmless bug:
https://lists.samba.org/archive/samba/2015-March/190408.html
But it may be related to the problem.
I updated from debian jessie to stretch, hoping to improve the situation, but that did not help.
the domain controllers run Samba 4.2.14-Debian.
My samba-fs-Setup:
root at samba-fs:~# samba -V
Version 4.5.6-Debian
---
root at samba-fs:~# cat /etc/krb5.conf
[libdefaults]
default_realm = MUSEUM.RUBENS.WORLD
dns_lookup_realm = false
dns_lookup_kdc = true
---
root at samba-fs:~# cat /etc/resolv.conf
search museum.rubens.world
nameserver 192.168.0.241
---
root at samba-fs:~# cat /etc/hosts
127.0.0.1 localhost
192.168.0.243 samba-fs.museum.rubens.world samba-fs
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
---
root at samba-fs:~# cat /etc/samba/smb.conf
[global]
workgroup = RUBENS
realm = MUSEUM.RUBENS.WORLD
netbios name = SAMBA-FS
security = ADS
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 70000-79999
idmap config RUBENS:backend = rid
idmap config RUBENS:schema_mode = rfc2307
idmap config RUBENS:range = 3000000-4000000
map untrusted to domain = yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
username map = /etc/samba/user.map
guest account = nobody
printing = bsd
printcap name = /etc/printcap
[gf]
path = /fs/gf
read only = no
admin users = "@RUBENS\Domain Admins"
---
root at samba-fs:~# ls -la /fs/gf/
insgesamt 12
drwxrwxrwx+ 2 administrator domain admins 4096 Mär 27 16:20 .
drwxrwxrwx 3 administrator domain admins 4096 Mär 29 14:05 ..
---
root at samba-fs:~# pstree
systemd─┬─acpid
├─agetty
├─atd
├─cron
├─dbus-daemon
├─exim4
├─nmbd
├─ntpd───{ntpd}
├─rpc.idmapd
├─rpc.statd
├─rpcbind
├─rsyslogd─┬─{in:imklog}
│ ├─{in:imuxsock}
│ └─{rs:main Q:Reg}
├─smbd─┬─cleanupd
│ ├─lpqd
│ ├─smbd
│ └─smbd-notifyd
├─sshd───sshd───bash───su───bash───pstree
├─sshd
├─systemd-journal
├─systemd-logind
├─systemd-udevd
└─winbindd───4*[winbindd]
---
root at samba-fs:~# net rpc rights list privileges SeDiskOperatorPrivilege -U "RUBENS\administrator"Enter RUBENS\administrator's password:
SeDiskOperatorPrivilege:
RUBENS\Administrator
RUBENS\domain admins
BUILTIN\Administrators
---
More information about the samba
mailing list