[Samba] Cannot set permissions from Windows: "Failed to Enumerate Objects in the Container. Access is denied."
Rowland Penny
rpenny at samba.org
Wed Sep 15 19:01:52 UTC 2021
On Wed, 2021-09-15 at 14:35 -0400, cpierre--- via samba wrote:
> Hi,
>
>
>
> I have a domain joined Samba fileserver, I'm attempting to grant
> permissions
> based on AD Objects. I'm able to access the share after chown on the
> mount
How did you 'chown' the permissions ?
> path, however permissions cannot be adjusted from the Windows client.
>
>
>
> Nothing stands in the logs stand out at default logging level.
>
>
>
> smbstatus --version
>
> Version 4.11.6-Ubuntu
>
> Here is my /etc/samba/user.map:
>
> !root = ${DOMAINNAME}\Administrator ${DOMAINNAME}\administrator
> Administrator administrator
>
You do not need all that, just:
!root = ${DOMAINNAME}\Administrator
>
>
> /etc/samba/smb.conf:
>
> [global]
> workgroup = ${DOMAINNAME}
> security = ADS
> realm = ${DNSDOMAIN}
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> server string = Data %h
>
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = yes
> winbind normalize names = Yes
>
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain the ranges may not overlap !
> idmap config ${DOMAINNAME} : backend = rid
> idmap config ${DOMAINNAME} : range = 10000-999999
> template shell = /bin/bash
> template homedir = /home/${DOMAINNAME}/%U
>
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> #map to guest = bad user
> host msdfs = no
>
> # user Administrator workaround, without it you are unable to set
> privileges
> username map = /etc/samba/user.map
>
> # For ACL support on domain member
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> acl_xattr:ignore system acls = yes
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> [${VOLUME}]
> path = /share/samba/${VOLUME}
> read only = no
>
There doesn't seem to be anything wrong there, is apparmor getting in
the way ?
Have you read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list