[Samba] Cannot set permissions from Windows: "Failed to Enumerate Objects in the Container. Access is denied."

Rowland Penny rpenny at samba.org
Wed Sep 15 19:01:52 UTC 2021 

On Wed, 2021-09-15 at 14:35 -0400, cpierre--- via samba wrote:
> Hi, 
> 
>  
> 
> I have a domain joined Samba fileserver, I'm attempting to grant
> permissions
> based on AD Objects. I'm able to access the share after chown on the
> mount

How did you 'chown' the permissions ?

> path, however permissions cannot be adjusted from the Windows client.
> 
>  
> 
> Nothing stands in the logs stand out at default logging level.
> 
>  
> 
> smbstatus --version
> 
> Version 4.11.6-Ubuntu
>  
> Here is my /etc/samba/user.map:
>  
> !root = ${DOMAINNAME}\Administrator ${DOMAINNAME}\administrator
> Administrator administrator
> 
You do not need all that, just:
!root = ${DOMAINNAME}\Administrator

>  
> 
> /etc/samba/smb.conf:
>  
> [global]
>     workgroup = ${DOMAINNAME}
>     security = ADS
>     realm = ${DNSDOMAIN}
>  
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     server string = Data %h
>  
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind nss info = rfc2307
>     winbind refresh tickets = Yes
>     winbind offline logon = yes
>     winbind normalize names = Yes
>  
>     ## map ids outside of domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config ${DOMAINNAME} : backend = rid
>     idmap config ${DOMAINNAME} : range = 10000-999999
>     template shell = /bin/bash
>     template homedir = /home/${DOMAINNAME}/%U
>  
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     #map to guest = bad user
>     host msdfs = no
>  
>     # user Administrator workaround, without it you are unable to set
> privileges
>     username map = /etc/samba/user.map
>  
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>     acl_xattr:ignore system acls = yes
>  
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> [${VOLUME}]
>    path = /share/samba/${VOLUME}
>    read only = no
> 

There doesn't seem to be anything wrong there, is apparmor getting in
the way ?

Have you read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

More information about the samba mailing list