[Samba] Failed to enumerate objects in the container. Access is denied.
L.P.H. van Belle
belle at bazuin.nl
Thu Mar 30 08:43:06 UTC 2017
First of all..
> It was not and I had to start a complete new setup. the ssd has died and i
> did not have any backups, raid or stuff setup.
This is bad for you but good for me in helping you ;-)
Im go for that your able to do a new clean install.
And on the question :
> Now I am stuck with the problem, that wbinfo works but getent shows only
> local users or groups. I hope a more up to date samba will resolve that.
A possible solution is also in the setup below. ( check nsswitch.conf )
At least you can review your steps also.
You can run this with the all debian default packages and/or with addition of my packages.
So you can choose of 4.2.14 Debian stable packages.
A 4.5.3 packages using my apt repo a 4.6.0/4.6.1 package as test package outside the repo.
Setup and info ( http://apt.van-belle.nl and http://downloads.van-belle.nl/samba4 )
So a clean setup on jessie and you want a member server..
If you do exact as im showing here, you have a in one go working samba member on jessie.
! If you can start cleanly, thats the best.
! Pre steps, remove any old DNS record and remove the computer object from the AD. ( I use the RSAT tools for that )
Setup jessie:
Choose expert install, and at taskselect choose only ssh server. ( optional and the standard package, but i setup really minimal )
# install WITH static ip from the start, ( best ) or install with dhcp ip and change /etc/hosts /etc/resolv.conf /etc/network/interfaces.
Check all these.
# FQDN
hostname ?f
# hostname
hostname ?s
# domainname
hostname ?d
# host IP
hostname ?i
if one isnt correct stop here, correct it, and reboot the server.
Next,
Install the needed packages.
apt-get install samba smbclient samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-user ntp bind9-host libpam-krb5
#At the questions, fill in you DC ipnumbers at ntp
# krb5-user fill in your REALM in CAPS.
# keep all other defaults.
stop samba en winbind
systemctl stop samba
systemctl stop winbind
setup /etc/samba/smb.conf
this is "my" minimal setup, well tested.
You change the NTDOM DOM.TLD eth/ip etc to your setup.
#### BEGIN SMB.CONF
[global]
workgroup = NTDOM
security = ADS
realm = NTDOM.DOM.TLD
# MEMBER SERVER SETTING ONLY ( NMBD ) and ad dc does not start NMBD
# Set master browser for the network.
# preffered + domain master = guarantee master browser ( man smb.conf )
# !! MAKE SURE THERE ONLY ONE MASTER BROWSER !!
#preferred master = yes
#domain master = yes
interfaces = ethX_or_ip_`hostname-i` 127.0.0.1
bind interfaces only = yes
dns proxy = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
## Make sure you match the DC backends also for best results.
## https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
# map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# map ids from the domain the range may not overlap !
# https://wiki.samba.org/index.php/Idmap_config_ad
#idmap config NTDOM: backend = ad
#idmap config NTDOM: schema_mode = rfc2307
# Use home directory and shell information from AD
#winbind nss info = rfc2307
# or
# https://wiki.samba.org/index.php/Idmap_config_rid
idmap config NTDOM: backend = rid
idmap config NTDOM: range = 10000-3999999
# Template settings for login shell and home directory
winbind nss info = template
template shell = /bin/bash
# the one matches the user share below.
template homedir = /home/samba/users/%U
# show users/groups with : getent passwd
# when set to no, use : getent passwd username
winbind enum users = yes
winbind enum groups = yes
# enable offline logins
winbind offline logon = yes
# check depth of nested groups, ! slows down you samba, if to much groups depth
# 4-5 is a good default
winbind expand groups = 4
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershare creating, when set empty, you dont get error log messages.
usershare path =
# Disable printing completely, remove this
# or setup to your needed if you need printing.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server,
# enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
# You need only 2-4 lines per share if you go for windows ACL.
# sample share setup.
[profiles]
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
[users]
browseable = yes
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes
# This acl_xattr is optional, this one depends on you network setup,
# you decide.
[public]
browseable = yes
path = /home/samba/public
read only = no
#### END SMB.CONF
Setup the user mapping file : /etc/samba/samba_usermapping
!root = NTDOM\Administrator NTDOM\administrator
# Change your /etc/nsswitch.conf
cp /etc/nsswitch.conf{,.backup}
sed -i 's]passwd: compat]passwd: compat winbind]g' /etc/nsswitch.conf
sed -i 's]group: compat]group: compat winbind]g' /etc/nsswitch.conf
now if you didnt change anything else, you should be ready.. ;-) , yes ready.
kinit administrator
( should respond with administrator at REALM and login )
# join the domain.
net ads join ?S hostname-DC.your.domain.tld ?k
# setup the SePrivileges, yes all of these, because this is for the group ?DOMAIN ADMINS?
# and Dom Admin are allowed everything. ( optional change NTDOM\Domain Admins, to BUILDIN\Administrators )
# both work good, i preffer like below.
# change the 2 variables below to match your setup.
YOUR_NTPASSWD=?YOUR_Administrator_PASSWD?
SETNTDOM=?NTDOM?
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeTakeOwnershipPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeBackupPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRestorePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRemoteShutdownPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SePrintOperatorPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeAddUsersPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSecurityPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemtimePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeShutdownPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDebugPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemEnvironmentPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemProfilePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeProfileSingleProcessPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseBasePriorityPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeLoadDriverPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreatePagefilePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseQuotaPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeChangeNotifyPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeUndockPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeManageVolumePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeImpersonatePrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreateGlobalPrivilege -UAdministrator
echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeEnableDelegationPrivilege ?Uadministrator
Setup pam configs for ssh krb5 and winbind:
pam-auth-update
reboot the server.
Login on the server (ssh) check your logs syslog samba etc.,the login on a windows pc as ?DOMAIN\Administrator?
connect to the server, and setup your shares security and folder security.
See the samba wiki for the setup.
# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Give it a go and if you have questions, ask.
Ps. For SSO with ssh, you need a small adjustment in sshd_config
Set : GSSAPIAuthentication yes
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: osdc at mailbox.org [mailto:osdc at mailbox.org]
> Verzonden: woensdag 29 maart 2017 20:17
> Aan: L.P.H. van Belle via samba; L.P.H. van Belle
> Onderwerp: Re: [Samba] Failed to enumerate objects in the container.
> Access is denied.
>
> Hi colleagues,
>
> I am deeply impressed about the quick support onb this list. Thank you a
> lot.
>
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> hat am 29. März
> 2017 um 16:19 geschrieben:
> >
> >
> > I've commented inbetween the lines, but first do what Rowland already
> told you.
> >
> > When done, read on, some other pointers.
> >
>
> >
> > > \\samba-fs\museum.rubens.world\mrtx
> >
> > Is this correct because based on your smb.conf i would expect. Typo?
> >
>
> yes, that was some share i tested with before.
>
>
> > >
> >
> > > the domain controllers run Samba 4.2.14-Debian.
> >
> > If you want you can safely upgrade your DC?s with my 4.5.3 packages.
>
> Usually I prefer the standard debian packages for not breaking their
> security concept. But that old samba may cause some of the trouble I would
> like to avoid. So your offer sounds great, are they debs? Where do I find
> them?
>
>
> >
> > Add the second DC also.
>
> okay
>
> >
> >
> > Are you setting up with POSIX ACL or Windows ACL?
> >
> > If windows ACl, remove admin users = "@RUBENS\Domain Admins"
>
> Yes, Windows ACL
>
>
> >
> > If the server isnt in production yet.
>
> It was not and I had to start a complete new setup. the ssd has died and i
> did not have any backups, raid or stuff setup.
>
> Now I am stuck with the problem, that wbinfo works but getent shows only
> local users or groups. I hope a more up to date samba will resolve that.
>
> Your help is appreciated.
>
> martin
More information about the samba
mailing list