[Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL

NN 708 nn708 at outlook.com
Thu Apr 10 09:44:53 UTC 2025 

Thanks for the information! I can confirm it works in a privileged container.

However, I'm still curious—since both getfacl and setfacl work in a rootless container, what specific action requires root privileges?

Related log:
Allowed connection from *.*.*.*
make_connection_snum: Connect path is '/tmp' for service [IPC$]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at source3/smbd/smb2_create.c:393
smbd_marshall_security_desc: sd_size = 20.
smbd_marshall_security_desc: sd_size = 384.
smbd_marshall_security_desc: sd_size = 20.
smbd_marshall_security_desc: sd_size = 440.
smbd_marshall_security_desc: sd_size = 20.
smbd_marshall_security_desc: sd_size = 48.
smbd_marshall_security_desc: sd_size = 20.
smbd_marshall_security_desc: sd_size = 440.
smbd_marshall_security_desc: sd_size = 20.
smbd_marshall_security_desc: sd_size = 384.
smbd_marshall_security_desc: sd_size = 20.
smbd_marshall_security_desc: sd_size = 440.
smbd_marshall_security_desc: sd_size = 20.
smbd_marshall_security_desc: sd_size = 384.
smbd_marshall_security_desc: sd_size = 76.
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at source3/smbd/smb2_setinfo.c:142
________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Luis Peromarta via samba <samba at lists.samba.org>
Sent: Thursday, April 10, 2025 14:37
To: Samba List <samba at lists.samba.org>
Subject: Re: [Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL

Unsure about podman but with LXC, container must be privileged.


On 10 Apr 2025 at 08:31 +0200, NN 708 via samba <samba at lists.samba.org>, wrote:
> Hello,
>
> I am encountering an issue while attempting to configure a minimal Samba file server with Windows ACL support in a containerized environment.
>
> Environment:
> Container runtime: Podman 5.4.0
> Base image: docker.io/library/debian:trixie-slim (Debian Trixie)
> Samba version: 4.22.0
>
> Configurations:
> 1. Join the domain using: samba-tool domain join mydomain.com MEMBER -U Administrator
>
> 2. /etc/samba/smb.conf:
> # Global parameters
> [global]
> realm = MYDOMAIN.COM
> server role = member server
> workgroup = MYDOMAIN
> idmap config * : backend = autorid
> idmap config * : rangesize = 10000
> idmap config * : range = 10000-59999
> vfs objects = acl_xattr
> map acl inherit = yes
> [users]
> path = /share/users
> read only = no
>
> 3. Tried both:
> # chown root:"MYDOMAIN\Domain Admins" /share/users
> # chown "MYDOMAIN\Administrator":"MYDOMAIN\Domain Admins" /share/users
>
> Despite successful file read/write operations, permission changes on Windows fail with the error: "Failed to Enumerate Objects in the Container. Access is denied."
>
> Any guidance would be greatly appreciated.
>
> Best regards,
> NN708
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list