[Samba] Compmgmt.msc connection errors for managing Windows ACL's

Thu Mar 3 22:39:48 UTC 2022

This is a bit of a kludge, and I know I'm mixing and matching packages ...
but here we go.

I have Openmediavault systems, but with Louis 4.11 packages (so Buster-x86
+ Louis 4.11).  I'm finally trying to get Folder Redirection right, so am
configuring User Homes via
https://wiki.samba.org/index.php/Windows_User_Home_Folders.

However, I'm having errors setting the actual Windows ACL, within
Compmgmt.msc:

   - Connecting to my OMV server is fine, but opening "System Tools"
   complains of remote server Firewall and DCOM+ service errors.  Windows logs
   show "DCOM was unable to communicate with the computer <HOST>using any of
   the configured protocols; requested by PID      a90
   (C:\WINDOWS\system32\mmc.exe), while activating CLSID
   {03837521-098B-11D8-9414-505054503030}."

Then, it connects and will show the Shares, etc.

   - At this point, I can edit and save Share Permissions, but attempting
   to change ACL's gives me "Failed to enumerate objects in specified
   Container. Access Denied." errors.
   - Additionally, in the Advanced portion of Permission Entry while
   attempting to add Domain Users, the bottom "add condition to limit access"
   shows "unable to contact Active Directory to access or verify claim types"

I've checked the following:

   - added SeDiskOperatorPrivilege to my account, Domain Admins, etc.
   - /etc/resolv.conf is pointing to my DCs
   - wbinfo -i (and other winbind) seems to work

In all other respects, this behaves like a Domain Member Server (RID).  Any
ideas why this is happening, or should I just use POSIX ACL's?

smb.conf (some of these settings are mine, some are automatically put in by
OMV)

# Global parameters
[global]
        disable spoolss = Yes
        dns proxy = No
        load printers = No
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        multicast dns register = No
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        printcap name = /dev/null
        realm = SAMDOM.COM
        security = ADS
        server min protocol = SMB2
        server string = %h server
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        template homedir = /home/%U
        template shell = /bin/bash
        username map = /usr/local/share/samba/etc/user.map
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind use default domain = Yes
        workgroup = SAMDOM
        fruit:resource = file
        fruit:metadata = stream
        fruit:locking = none
        fruit:encoding = native
        idmap config SAMDOM : range = 10000-50000
        idmap config SAMDOM : backend = rid
        idmap config * : range = 3000-6999
        fruit:aapl = yes
        idmap config * : backend = tdb
        aio read size = 16384
        aio write size = 16384
        create mask = 0777
        directory mask = 0777
        map acl inherit = Yes
        printing = bsd
        use sendfile = Yes
        vfs objects = acl_xattr fruit streams_xattr

[users]
        comment = User Homes
        create mask = 0664
        directory mask = 0775
        force create mode = 0664
        force directory mode = 0775
        hide dot files = No
        hide special files = Yes
        inherit acls = Yes
        inherit permissions = Yes
        path = /srv/dev-disk-by-label-Storage/users/
        read only = No
        vfs objects =

Thanks,

Kris Lou
klou at themusiclink.net