[Samba] Failed to enumerate objects in the container. Access is denied.
L.P.H. van Belle
belle at bazuin.nl
Wed Mar 29 14:19:19 UTC 2017
I've commented inbetween the lines, but first do what Rowland already told you.
When done, read on, some other pointers.
...
>
> Dear colleagues and samba-experts,
>
> I installed a samba-file-server as a samba domain-member using debian
> jessie-packages, following the samba-manual "Setting up Samba as a Domain
> Member".
>
> I can access the shares and create files but there are issues concerning
> security.
>
> As proposed I am using RSAT (on a german Windows 10 Pro, logged in as
> Domain Administrator) to set details concerning the shares.
>
> When for example I want to remove "everyone" from accessing a share and
> try to save it, I receive the following message:
Ok, before you remove it add "authenticated users”, with full controll to the "SHARE" security.
Klik apply, remove everyone, if that does not work, reboot your pc first or logout/login again.
>
> ---
> german:
>
> Fehler beim Anwenden der Sicherheit
>
> Fehler beim Anwenden von Sicherheitsinformationen auf:
>
> \\samba-fs\museum.rubens.world\mrtx
Is this correct because based on your smb.conf i would expect. Typo?
\\samba-fs.museum.rubens.world\mrtx
> There is another error message I receive but I guess it does not have to
> do with it - when joining the domain I receive these error messages:
>
> ---
>
> root at samba-fs:~# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- RUBENS
> Joined 'SAMBA-FS' to dns domain 'museum.rubens.world'
> DNS Update for samba-fs.museum.rubens.world failed:
> ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
Check your dns if the correct record exists.
> ---
>
> I followed the guides "Troubleshooting Samba Domain Members" and "Testing
> Dynamic DNS Updates"
>
> On both dc's I get the following:
>
> ---
>
> root at dc2:~# samba_dnsupdate --verbose --all-names
>
> IPs: ['192.168.0.242']
> Calling nsupdate for A dc2.museum.rubens.world 192.168.0.242 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc2.museum.rubens.world. 900 IN A 192.168.0.242
>
> ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Calling nsupdate for A museum.rubens.world 192.168.0.242 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> museum.rubens.world. 900 IN A 192.168.0.242
>
> [...]
>
> ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-
> Name._sites.ForestDnsZones.museum.rubens.world dc2.museum.rubens.world 389
> (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-
> Name._sites.ForestDnsZones.museum.rubens.world. 900 IN SRV 0 100 389
> dc2.museum.rubens.world.
>
> ; TSIG error with server: tsig verify failure
> Failed nsupdate: 2
> Failed update of 26 entries
>
> ---
>
> This seems to be a harmless bug:
> https://lists.samba.org/archive/samba/2015-March/190408.html
>
> But it may be related to the problem.
>
>
> I updated from debian jessie to stretch, hoping to improve the situation,
> but that did not help.
>
> the domain controllers run Samba 4.2.14-Debian.
If you want you can safely upgrade your DC’s with my 4.5.3 packages.
>
> My samba-fs-Setup:
>
>
> root at samba-fs:~# samba -V
> Version 4.5.6-Debian
>
> ---
>
> root at samba-fs:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = MUSEUM.RUBENS.WORLD
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> ---
>
> root at samba-fs:~# cat /etc/resolv.conf
> search museum.rubens.world
> nameserver 192.168.0.241
Add the second DC also.
>
> ---
> root at samba-fs:~# cat /etc/hosts
> 127.0.0.1 localhost
> 192.168.0.243 samba-fs.museum.rubens.world samba-fs
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> ---
>
> root at samba-fs:~# cat /etc/samba/smb.conf
> [global]
> workgroup = RUBENS
> realm = MUSEUM.RUBENS.WORLD
> netbios name = SAMBA-FS
> security = ADS
> encrypt passwords = yes
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = tdb
> idmap config * : range = 70000-79999
> idmap config RUBENS:backend = rid
> idmap config RUBENS:schema_mode = rfc2307
If you use RID, remove "idmap config RUBENS:schema_mode = rfc2307"
> idmap config RUBENS:range = 3000000-4000000
>
> map untrusted to domain = yes
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> username map = /etc/samba/user.map
>
> guest account = nobody
> printing = bsd
> printcap name = /etc/printcap
>
> [gf]
> path = /fs/gf
> read only = no
> admin users = "@RUBENS\Domain Admins"
Are you setting up with POSIX ACL or Windows ACL?
If windows ACl, remove admin users = "@RUBENS\Domain Admins"
And set it from withing windows.
Im wondering if a username map is allowed in a share? I dont know that.
>
> ---
>
> root at samba-fs:~# net rpc rights list privileges SeDiskOperatorPrivilege -U
> "RUBENS\administrator"Enter RUBENS\administrator's password:
> SeDiskOperatorPrivilege:
> RUBENS\Administrator
> RUBENS\domain admins
> BUILTIN\Administrators
This is not how to set it.
You only need : BUILTIN\Administrators
Because "RUBENS\domain admins" is member of " BUILTIN\Administrators"
And "RUBENS\Administrator" is member of "RUBENS\domain admins"
If the server isnt in production yet.
Try the following on the samba-fs, remove it from the domain, cleanup, and re-add it.
Stop samba winbind smbd nmbd.
#Login:
kinit Administrator
#leave the domain.
net ads remove -k
#cleanup.
mv /etc/krb5.keytab{,.old}
rm /var/lib/samba/*.tdb
rm /var/lib/samba/private*.tdb
rm /var/cache/samba/*.tdb
rm /var/cache/samba/*.dat
#dns mananager:
Now check your dns if there still is an dns A record for this host.
If it is, remove it.
#AD user/computers.
Remove the computer samba-fs there also.
#Wait a min.
Now add the samba-fs again.
net ads join -k
and see what happens then.
Greetz,
Louis
More information about the samba
mailing list