[Samba] acl_xattr - AD Computer Management - Failed to enumerate objects in container
Isaac Stone
isaac.stone at som.com
Wed Nov 11 18:52:17 UTC 2020
I am following this guide
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
But hitting issues with setting permissions on the share in Computer
Management in the windows AD DC UI. Every time I try I get the error dialog
with
+----------------------------------------------------------------+
| An error occurred while applying security information to |
| |
| \\IP\Share |
| |
| Failed to enumerate objects in the container. Access is denied |
+ ---------------------------------------------------------------+
Running tail -f /var/log/{samba/log.smbd,access/access.log,messages} and I
see nothing printed. No idea what is denying access.
Running RHEL-8 with Samba version 4.12.3, in a clustered setup with CTDB
smb.conf
#======================= Global Settings
=====================================
[global]
netbios name = C25-USE1
realm = SAMDOM.LOCAL
workgroup = SAMDOM
security = ads
clustering = yes
fake oplocks = no
log level = 2
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM: backend = rid
idmap config SAMDOM: range = 10000-999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
map acl inherit = yes
winbind refresh tickets = yes
# disables printing:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
bind interfaces only = yes
interfaces = lo eth0
#============================ Share Definitions
==============================
[share]
path = "/mnt/share"
writeable = yes
browsable = yes
fileid:algorithm = fsname
vfs objects = fileid acl_xattr shadow_copy2
acl_xattr:ignore system acls = yes
shadow:mountpoint = /mnt/
shadow:snapdir = /snapshots/
shadow:snapsharepath = share
shadow:format = %Y-%m-%dT%H:%M:%SZ
SeDiskOperatorPrivilegeis granted successfully
# net rpc rights list 'SAMDOM\domain admins' -U isaac.stone
Enter isaac.stone's password:
SeDiskOperatorPrivilege
There are no NTACL attrs at all on the root share
# getfattr -n security.NTACL -d /mnt/share/
/mnt/share/: security.NTACL: No such attribute
but they do exist on some objects within the share
# getfattr -d -m - /mnt/share/*
# file: mnt/share/images-100x10 - 2
user.DOSATTRIB=0sAAAEAAQAAABRAAAAEAAAAIaIcN2Jt9YBhodw3Ym31fE=
# file: mnt/share/izak.txt
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAASMZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAILUlp1JoMuFe/v65V0EAAABBQAAAAAABRUAAACC1JadSaDLhXv7+uUBAgAAAgCQAAUAAAAAABgA/wEfAAECAAAAAAAFIAAAACACAAAAABQAvwESAAEBAAAAAAABAAAAAAAAFAD/AR8AAQEAAAAAAAUSAAAAAAAkAP8BHwABBQAAAAAABRUAAACC1JadSaDLhXv7+uVdBAAAAAAkAL8BEfABBQAAAAAABRUAAACC1JadSaDLhXv7+uUBAgAA
user.DOSATTRIB=0sAAAEAAQAAABRAAAAIAAAAC0OhIWSt9YBLQ6EhZK31fE=
I have run out of ideas of things to check. Any advice?
More information about the samba
mailing list