[Samba] acl_xattr - AD Computer Management - Failed to enumerate objects in container

Isaac Stone isaac.stone at som.com
Wed Nov 11 18:52:17 UTC 2020


I am following this guide

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

But hitting issues with setting permissions on the share in Computer
Management in the windows AD DC UI. Every time I try I get the error dialog
with

+----------------------------------------------------------------+
| An error occurred while applying security information to       |
|                                                                |
| \\IP\Share                                                     |
|                                                                |
| Failed to enumerate objects in the container. Access is denied |
+ ---------------------------------------------------------------+

Running tail -f /var/log/{samba/log.smbd,access/access.log,messages} and I
see nothing printed. No idea what is denying access.


Running RHEL-8 with Samba version 4.12.3, in a clustered setup with CTDB


smb.conf
#======================= Global Settings
=====================================
[global]
netbios name = C25-USE1
realm = SAMDOM.LOCAL
workgroup = SAMDOM

security = ads

clustering = yes
fake oplocks = no

log level = 2

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM: backend = rid
idmap config SAMDOM: range = 10000-999999

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

map acl inherit = yes

winbind refresh tickets = yes

# disables printing:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

bind interfaces only = yes
interfaces = lo eth0

#============================ Share Definitions
==============================
[share]
path = "/mnt/share"
writeable = yes
browsable = yes
fileid:algorithm = fsname
vfs objects = fileid acl_xattr shadow_copy2
acl_xattr:ignore system acls = yes
shadow:mountpoint = /mnt/
shadow:snapdir = /snapshots/
shadow:snapsharepath = share
shadow:format = %Y-%m-%dT%H:%M:%SZ

SeDiskOperatorPrivilegeis granted successfully

# net rpc rights list 'SAMDOM\domain admins' -U isaac.stone
Enter isaac.stone's password:
SeDiskOperatorPrivilege

There are no NTACL attrs at all on the root share

# getfattr -n security.NTACL -d /mnt/share/
/mnt/share/: security.NTACL: No such attribute

but they do exist on some objects within the share

# getfattr -d -m - /mnt/share/*

# file: mnt/share/images-100x10 - 2
user.DOSATTRIB=0sAAAEAAQAAABRAAAAEAAAAIaIcN2Jt9YBhodw3Ym31fE=

# file: mnt/share/izak.txt
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAASMZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAILUlp1JoMuFe/v65V0EAAABBQAAAAAABRUAAACC1JadSaDLhXv7+uUBAgAAAgCQAAUAAAAAABgA/wEfAAECAAAAAAAFIAAAACACAAAAABQAvwESAAEBAAAAAAABAAAAAAAAFAD/AR8AAQEAAAAAAAUSAAAAAAAkAP8BHwABBQAAAAAABRUAAACC1JadSaDLhXv7+uVdBAAAAAAkAL8BEfABBQAAAAAABRUAAACC1JadSaDLhXv7+uUBAgAA
user.DOSATTRIB=0sAAAEAAQAAABRAAAAIAAAAC0OhIWSt9YBLQ6EhZK31fE=

I have run out of ideas of things to check. Any advice?


More information about the samba mailing list