[Samba] Failed to enumerate objects in the container. Access is denied

Rowland Penny rpenny at samba.org
Mon Jan 15 21:24:09 UTC 2018 

On Mon, 15 Jan 2018 18:49:18 -0200
Carlos via samba <samba at lists.samba.org> wrote:

> HI!
> 
> I have one fileserve, has ok but now when change permission(oyher
> user not Administrator) with RSAT show me message:
> 
> "Failed to enumerate objects in the container. Access is denied"

Fairly obvious, the user doesn't have the required permissions

> 
> 
> Samba Version (Compilated)
> 
> 4.7.3
> 
> 
> Ubuntu 16.04
> 
> 
> # smb.conf
> 
> [global]
>          workgroup = XXXXX
>          realm = INTERNO.XXXXX.XXX.BR
>          security = ADS
>          username map = /usr/local/samba/etc/user.map
> 
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>          winbind cache time = 60
> 
>          winbind max clients = 600
>          winbind enum users = Yes
>          winbind enum groups = Yes


Nothing to do with your problem, but you do not need the two lines
above.

>          winbind use default domain = Yes
>          winbind nss info = rfc2307

The line above is only required when using the winbind 'ad' backend and
only then when using Samba < 4.6.0

>          winbind refresh tickets = Yes
>          winbind nss info = template
>          template shell = /bin/bash
> 
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999

Why are the lines above duplicated ?

>          idmap config XXXXX : backend = rid
>          idmap config XXXXX : range = 10000-999999
> 
>          # Necessario para Fileserver
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = Yes
> 
> #
>          # Disable Cups
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
>          # Lixeira + Auditoria
>          vfs objects = recycle,full_audit

Congratulations, you have just turned off the acl_xattr vfs object.
 
>          recycle:keeptree = yes
>          recycle:versions = yes
>          recycle:repository = /opt/DADOS/Lixeira/%U
>          recycle:exclude = *.tmp, *.log, *.obj, ~*.*, *.bak, *.iso,
> *.exe recycle:exclude_dir = tmp
>          recycle:touch = yes
>          recycle:touch_mtime = yes
>          full_audit:failure = none
>          full_audit:facility = local5
>          full_audit:priority = notice
>          full_audit:prefix = %u|%I|%S
>          full_audit:success = rename rmdir unlink
> 
> # include
> include = /opt/samba/etc/compartilhamento.conf
> 
> # compartilhamento.conf
> 
> [TEC]
>          path= /opt/DADOS/TEC/
>          read only = no
> 
> # user.map
> 
> !root = XXXXX\Administrator
> 
> 
> ---------------------------------------------------------
> 
> Before today i change permission with any user in group "Admins
> Domain", but today only Administrator(= root) ir work, any user
> receive message the error.
> 
> 
> Any Idea ?

If it worked previously, but doesn't now, something must have changed,
have you updated the DC or the windows client ?

Rowland

More information about the samba mailing list