[Samba] Failed to enumerate objects in the container. Access is denied.

Thu Mar 30 08:43:06 UTC 2017

First of all.. 

> It was not and I had to start a complete new setup. the ssd has died and i

> did not have any backups, raid or stuff setup. 

This is bad for you but good for me in helping you ;-) 

Im go for that your able to do a new clean install.

And on the question : 

> Now I am stuck with the problem, that wbinfo works but getent shows only

> local users or groups. I hope a more up to date samba will resolve that.

A possible solution is also in the setup below. ( check nsswitch.conf )

At least you can review your steps also. 

You can run this with the all debian default packages and/or with addition of my packages.

So you can choose of 4.2.14 Debian stable packages. 

A 4.5.3 packages using my apt repo a 4.6.0/4.6.1 package as test package outside the repo.

Setup and info ( http://apt.van-belle.nl and http://downloads.van-belle.nl/samba4  ) 

So a clean setup on jessie and you want a member server.. 

If you do exact as im showing here, you have a in one go working samba member on jessie.

! If you can start cleanly, thats the best. 

! Pre steps, remove any old DNS record and remove the computer object from the AD. ( I use the RSAT tools for that ) 

Setup jessie: 

Choose expert install, and at taskselect choose only ssh server. ( optional and the standard package, but i setup really minimal ) 

# install WITH static ip from the start, ( best ) or install with dhcp ip and change /etc/hosts /etc/resolv.conf /etc/network/interfaces. 

Check all these. 

# FQDN

hostname ?f

# hostname

hostname ?s

# domainname

hostname ?d

# host IP

hostname ?i

if one isnt correct stop here, correct it, and reboot the server. 

Next, 

Install the needed packages. 

apt-get install samba smbclient samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-user ntp bind9-host libpam-krb5

#At the questions, fill in you DC ipnumbers at ntp

# krb5-user fill in your REALM in CAPS. 

# keep all other defaults. 

stop samba en winbind

systemctl stop samba

systemctl stop winbind

setup /etc/samba/smb.conf 

this is "my" minimal setup, well tested. 

You change the NTDOM DOM.TLD eth/ip etc to your setup. 
#### BEGIN SMB.CONF

[global]

    workgroup = NTDOM

    security = ADS

    realm = NTDOM.DOM.TLD

    # MEMBER SERVER SETTING ONLY ( NMBD ) and ad dc does not start NMBD

    # Set master browser for the network.

    # preffered + domain master = guarantee master browser ( man smb.conf )

    # !! MAKE SURE THERE ONLY ONE MASTER BROWSER !! 

    #preferred master = yes

    #domain master = yes

    interfaces = ethX_or_ip_`hostname-i` 127.0.0.1

    bind interfaces only = yes

    dns proxy = yes

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

    # renew the kerberos ticket

    winbind refresh tickets = yes

    ## Make sure you match the DC backends also for best results. 

    ## https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 

    # map id's outside to domain to tdb files.

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

    # map ids from the domain  the range may not overlap !

    # https://wiki.samba.org/index.php/Idmap_config_ad 

    #idmap config NTDOM: backend = ad

    #idmap config NTDOM: schema_mode = rfc2307

    # Use home directory and shell information from AD

    #winbind nss info = rfc2307

    # or 

    # https://wiki.samba.org/index.php/Idmap_config_rid 

    idmap config NTDOM: backend = rid

    idmap config NTDOM: range = 10000-3999999

    # Template settings for login shell and home directory

    winbind nss info = template

    template shell = /bin/bash

    # the one matches the user share below. 

    template homedir = /home/samba/users/%U

    # show users/groups with : getent passwd

    # when set to no, use : getent passwd username

    winbind enum users  = yes

    winbind enum groups = yes

    # enable offline logins

    winbind offline logon = yes

    # check depth of nested groups, ! slows down you samba, if to much groups depth

    # 4-5 is a good default

    winbind expand groups = 4

    # user Administrator workaround, without it you are unable to set privileges

    username map = /etc/samba/samba_usermapping

    # disable usershare creating, when set empty, you dont get error log messages.

    usershare path =

    # Disable printing completely, remove this 

    # or setup to your needed if you need printing.

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes    

    # For Windows ACL support on member file server, 

    # enabled globaly, OBLIGATED

    # For a mixed setup of rights, put this per share!

    vfs objects = acl_xattr

    map acl inherit = yes

    store dos attributes = yes

    # Share Setting Globally

    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/

    hide unreadable = yes

# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 

# You need only 2-4 lines per share if you go for windows ACL. 

# sample share setup. 

[profiles]

    browseable = yes

    path = /home/samba/profiles

    read only = no

    acl_xattr:ignore system acl = yes

[users]

    browseable = yes

    path = /home/samba/users

    read only = no

    acl_xattr:ignore system acl = yes

    # This acl_xattr is optional, this one depends on you network setup, 

    # you decide. 

[public]

    browseable = yes

    path = /home/samba/public

    read only = no

#### END SMB.CONF 

Setup the user mapping file : /etc/samba/samba_usermapping

!root = NTDOM\Administrator NTDOM\administrator

# Change your /etc/nsswitch.conf

cp /etc/nsswitch.conf{,.backup}

sed -i 's]passwd:         compat]passwd:         compat winbind]g' /etc/nsswitch.conf

sed -i 's]group:          compat]group:          compat winbind]g' /etc/nsswitch.conf

now if you didnt change anything else, you should be ready.. ;-) , yes ready. 

kinit administrator

( should respond with administrator at REALM and login ) 

# join the domain. 

net ads join ?S hostname-DC.your.domain.tld ?k

# setup the SePrivileges, yes all of these, because this is for the group ?DOMAIN ADMINS? 

# and Dom Admin are allowed everything. ( optional change NTDOM\Domain Admins, to BUILDIN\Administrators ) 

# both work good, i preffer like below. 

# change the 2 variables below to match your setup. 

YOUR_NTPASSWD=?YOUR_Administrator_PASSWD? 

SETNTDOM=?NTDOM? 

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeTakeOwnershipPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeBackupPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRestorePrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeRemoteShutdownPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SePrintOperatorPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeAddUsersPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSecurityPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemtimePrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeShutdownPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeDebugPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemEnvironmentPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeSystemProfilePrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeProfileSingleProcessPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseBasePriorityPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeLoadDriverPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreatePagefilePrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeIncreaseQuotaPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeChangeNotifyPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeUndockPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeManageVolumePrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeImpersonatePrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeCreateGlobalPrivilege -UAdministrator

echo ${SETNTPASSWD}| net rpc rights grant "${SETNTDOM}\Domain Admins" SeEnableDelegationPrivilege ?Uadministrator

Setup pam configs for ssh krb5 and winbind: 

pam-auth-update

reboot the server. 

Login on the server (ssh) check your logs syslog samba etc.,the login on a windows pc as ?DOMAIN\Administrator? 

connect to the server, and setup your shares security and folder security. 

See the samba wiki for the setup. 

# https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 

Give it a go and if you have questions, ask. 

Ps. For SSO with ssh, you need a small adjustment in sshd_config

Set : GSSAPIAuthentication yes

Greetz, 

Louis

> -----Oorspronkelijk bericht-----

> Van: osdc at mailbox.org [mailto:osdc at mailbox.org]

> Verzonden: woensdag 29 maart 2017 20:17

> Aan: L.P.H. van Belle via samba; L.P.H. van Belle

> Onderwerp: Re: [Samba] Failed to enumerate objects in the container.

> Access is denied.

> 

> Hi colleagues,

> 

> I am deeply impressed about the quick support onb this list. Thank you a

> lot.

> 

> > "L.P.H. van Belle via samba" <samba at lists.samba.org> hat am 29. März

> 2017 um 16:19 geschrieben:

> >

> >

> > I've commented inbetween the lines, but first do what Rowland already

> told you.

> >

> > When done, read on, some other pointers.

> >

> 

> >

> > > \\samba-fs\museum.rubens.world\mrtx

> >

> > Is this correct because based on your smb.conf i would expect. Typo?

> >

> 

> yes, that was some share i tested with before.

> 

> 

> > >

> >

> > > the domain controllers run Samba 4.2.14-Debian.

> >

> > If you want you can safely upgrade your DC?s with my 4.5.3 packages.

> 

> Usually I prefer the standard debian packages for not breaking their

> security concept. But that old samba may cause some of the trouble I would

> like to avoid. So your offer sounds great, are they debs? Where do I find

> them?

> 

> 

> >

> > Add the second DC also.

> 

> okay

> 

> >

> >

> > Are you setting up with POSIX ACL or Windows ACL?

> >

> > If windows ACl, remove admin users = "@RUBENS\Domain Admins"

> 

> Yes, Windows ACL

> 

> 

> >

> > If the server isnt in production yet.

> 

> It was not and I had to start a complete new setup. the ssd has died and i

> did not have any backups, raid or stuff setup.

> 

> Now I am stuck with the problem, that wbinfo works but getent shows only

> local users or groups. I hope a more up to date samba will resolve that.

> 

> Your help is appreciated.

> 

> martin