[Samba] Failed to enumerate objects in the container. Access is denied.

L.P.H. van Belle belle at bazuin.nl
Wed Mar 29 14:19:19 UTC 2017


I've commented inbetween the lines, but first do what Rowland already told you. 

When done, read on, some other pointers. 

 

... 

> 

> Dear colleagues and samba-experts,

> 

> I installed a samba-file-server as a samba domain-member using debian

> jessie-packages, following the samba-manual "Setting up Samba as a Domain

> Member".

> 

> I can access the shares and create files but there are issues concerning

> security.

> 

> As proposed I am using RSAT (on a german Windows 10 Pro, logged in as

> Domain Administrator) to set details concerning the shares.

> 

> When for example I want to remove "everyone" from accessing a share and

> try to save it, I receive the following message:

 

Ok, before you remove it add "authenticated users”, with full controll to the "SHARE" security. 

Klik apply, remove everyone, if that does not work, reboot your pc first or logout/login again. 

 

 

> 

> ---

> german:

> 

> Fehler beim Anwenden der Sicherheit

> 

> Fehler beim Anwenden von Sicherheitsinformationen auf:

> 

> \\samba-fs\museum.rubens.world\mrtx

Is this correct because based on your smb.conf i would expect. Typo? 

\\samba-fs.museum.rubens.world\mrtx

 

> There is another error message I receive but I guess it does not have to

> do with it - when joining the domain I receive these error messages:

> 

> ---

> 

> root at samba-fs:~# net ads join -U administrator

> Enter administrator's password:

> Using short domain name -- RUBENS

> Joined 'SAMBA-FS' to dns domain 'museum.rubens.world'

> DNS Update for samba-fs.museum.rubens.world failed:

> ERROR_DNS_UPDATE_FAILED

> DNS update failed: NT_STATUS_UNSUCCESSFUL

> 

 

Check your dns if the correct record exists. 

 

 

> ---

> 

> I followed the guides "Troubleshooting Samba Domain Members" and "Testing

> Dynamic DNS Updates"

> 

> On both dc's I get the following:

> 

> ---

> 

> root at dc2:~# samba_dnsupdate --verbose --all-names

> 

> IPs: ['192.168.0.242']

> Calling nsupdate for A dc2.museum.rubens.world 192.168.0.242 (add)

> Outgoing update query:

> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

> ;; UPDATE SECTION:

> dc2.museum.rubens.world. 900     IN    A     192.168.0.242

> 

> ; TSIG error with server: tsig verify failure

> Failed nsupdate: 2

> Calling nsupdate for A museum.rubens.world 192.168.0.242 (add)

> Outgoing update query:

> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

> ;; UPDATE SECTION:

> museum.rubens.world.  900   IN    A     192.168.0.242

> 

> [...]

> 

> ; TSIG error with server: tsig verify failure

> Failed nsupdate: 2

> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-

> Name._sites.ForestDnsZones.museum.rubens.world dc2.museum.rubens.world 389

> (add)

> Outgoing update query:

> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

> ;; UPDATE SECTION:

> _ldap._tcp.Default-First-Site-

> Name._sites.ForestDnsZones.museum.rubens.world. 900 IN SRV 0 100 389

> dc2.museum.rubens.world.

> 

> ; TSIG error with server: tsig verify failure

> Failed nsupdate: 2

> Failed update of 26 entries

> 

> ---

> 

> This seems to be a harmless bug:

> https://lists.samba.org/archive/samba/2015-March/190408.html

> 

> But it may be related to the problem.

> 

> 

> I updated from debian jessie to stretch, hoping to improve the situation,

> but that did not help.

> 

> the domain controllers run Samba 4.2.14-Debian.

If you want you can safely upgrade your DC’s with my 4.5.3 packages. 

 

> 

> My samba-fs-Setup:

> 

> 

> root at samba-fs:~# samba -V

> Version 4.5.6-Debian

> 

> ---

> 

> root at samba-fs:~# cat /etc/krb5.conf

> [libdefaults]

>     default_realm = MUSEUM.RUBENS.WORLD

>     dns_lookup_realm = false

>     dns_lookup_kdc = true

> 

> ---

> 

> root at samba-fs:~# cat /etc/resolv.conf

> search museum.rubens.world

> nameserver 192.168.0.241

Add the second DC also.

 

 

> 

> ---

> root at samba-fs:~# cat /etc/hosts

> 127.0.0.1 localhost

> 192.168.0.243   samba-fs.museum.rubens.world samba-fs

> 

> # The following lines are desirable for IPv6 capable hosts

> ::1     localhost ip6-localhost ip6-loopback

> ff02::1 ip6-allnodes

> ff02::2 ip6-allrouters

> 

> ---

> 

> root at samba-fs:~# cat /etc/samba/smb.conf

> [global]

>        workgroup = RUBENS

>        realm = MUSEUM.RUBENS.WORLD

>        netbios name = SAMBA-FS

>        security = ADS

>        encrypt passwords = yes

> 

>        log file = /var/log/samba/%m.log

>        log level = 1

> 

>        idmap config * : backend = tdb

>        idmap config * : range = 70000-79999

>        idmap config RUBENS:backend = rid

>        idmap config RUBENS:schema_mode = rfc2307


If you use RID, remove "idmap config RUBENS:schema_mode = rfc2307" 

 

>        idmap config RUBENS:range = 3000000-4000000

> 

>        map untrusted to domain = yes

> 

>        winbind nss info = rfc2307

>        winbind trusted domains only = no

>        winbind use default domain = yes

>        winbind enum users = yes

>        winbind enum groups = yes

> 

>        vfs objects = acl_xattr

>        map acl inherit = yes

>        store dos attributes = yes

>        username map = /etc/samba/user.map

> 

>        guest account = nobody

>        printing = bsd

>        printcap name = /etc/printcap

> 

> [gf]

>        path = /fs/gf

>        read only = no

>        admin users = "@RUBENS\Domain Admins"

Are you setting up with POSIX ACL or Windows ACL? 

If windows ACl, remove admin users = "@RUBENS\Domain Admins"

And set it from withing windows. 

 

Im wondering if a username map is allowed in a share? I dont know that. 

 

 

> 

> ---

> 

> root at samba-fs:~# net rpc rights list privileges SeDiskOperatorPrivilege -U

> "RUBENS\administrator"Enter RUBENS\administrator's password:

> SeDiskOperatorPrivilege:

>   RUBENS\Administrator

>   RUBENS\domain admins

>   BUILTIN\Administrators

 

This is not how to set it. 

You only need :  BUILTIN\Administrators

Because "RUBENS\domain admins" is member of " BUILTIN\Administrators" 

And "RUBENS\Administrator" is member of "RUBENS\domain admins"

 

 

If the server isnt in production yet. 

 

Try the following on the samba-fs, remove it from the domain, cleanup, and re-add it. 

 

Stop samba winbind smbd nmbd. 

 

#Login: 

kinit Administrator 

 

#leave the domain.

net ads remove -k

 

#cleanup. 

mv /etc/krb5.keytab{,.old}  

rm /var/lib/samba/*.tdb

rm /var/lib/samba/private*.tdb

rm /var/cache/samba/*.tdb

rm /var/cache/samba/*.dat

 

#dns mananager: 

Now check your dns if there still is an dns A record for this host. 

If it is, remove it. 

 

#AD user/computers. 

Remove the computer samba-fs there also. 

 

#Wait a min.

 

Now add the samba-fs again. 

 

net ads join -k 

 

 

and see what happens then. 

 

 

Greetz, 

 

Louis

 



More information about the samba mailing list