[Samba] Cannot set permissions from Windows: "Failed to Enumerate Objects in the Container. Access is denied."

cpierre at coreweave.com cpierre at coreweave.com
Wed Sep 15 18:35:41 UTC 2021 

Hi, 

 

I have a domain joined Samba fileserver, I'm attempting to grant permissions
based on AD Objects. I'm able to access the share after chown on the mount
path, however permissions cannot be adjusted from the Windows client.

 

Nothing stands in the logs stand out at default logging level.

 

smbstatus --version

Version 4.11.6-Ubuntu

 

Here is my /etc/samba/user.map:

 

!root = ${DOMAINNAME}\Administrator ${DOMAINNAME}\administrator
Administrator administrator

 

/etc/samba/smb.conf:

 

[global]

    workgroup = ${DOMAINNAME}

    security = ADS

    realm = ${DNSDOMAIN}

 

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

    server string = Data %h

 

    winbind use default domain = yes

    winbind expand groups = 4

    winbind nss info = rfc2307

    winbind refresh tickets = Yes

    winbind offline logon = yes

    winbind normalize names = Yes

 

    ## map ids outside of domain to tdb files.

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

    ## map ids from the domain  the ranges may not overlap !

    idmap config ${DOMAINNAME} : backend = rid

    idmap config ${DOMAINNAME} : range = 10000-999999

    template shell = /bin/bash

    template homedir = /home/${DOMAINNAME}/%U

 

    domain master = no

    local master = no

    preferred master = no

    os level = 20

    #map to guest = bad user

    host msdfs = no

 

    # user Administrator workaround, without it you are unable to set
privileges

    username map = /etc/samba/user.map

 

    # For ACL support on domain member

    vfs objects = acl_xattr

    map acl inherit = Yes

    store dos attributes = Yes

    acl_xattr:ignore system acls = yes

 

    # Share Setting Globally

    #unix extensions = no

    #reset on zero vc = yes

    #veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/

    #hide unreadable = yes

 

    # disable printing completely

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes

 

    # Security

    #client ipc max protocol = SMB3

    #client ipc min protocol = SMB2_10

    #client max protocol = SMB3

    #client min protocol = SMB2_10

    #server max protocol = SMB3

    #server min protocol = SMB2_10

 

    # Time Machine

    #fruit:delete_empty_adfiles = yes

    #fruit:time machine = yes

    #fruit:veto_appledouble = no

    #fruit:wipe_intentionally_left_blank_rfork = yes

 

[${VOLUME}]

   path = /share/samba/${VOLUME}

   read only = no

   #guest ok = no

   #veto files =
/.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network
Trash Folder/Temporary Items/Thumbs.db/

   #delete veto files = yes

More information about the samba mailing list