[Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL

Luis Peromarta lperoma at icloud.com
Thu Apr 10 09:59:02 UTC 2025 

I don’t think I can be of any more help as I am no container expert.
On 10 Apr 2025 at 11:45 +0200, NN 708 <nn708 at outlook.com>, wrote:
> Thanks for the information! I can confirm it works in a privileged container.
>
> However, I'm still curious—since both getfacl and setfacl work in a rootless container, what specific action requires root privileges?
>
> Related log:
> Allowed connection from *.*.*.*
> make_connection_snum: Connect path is '/tmp' for service [IPC$]
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Initialising custom vfs hooks from [acl_xattr]
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at source3/smbd/smb2_create.c:393
> smbd_marshall_security_desc: sd_size = 20.
> smbd_marshall_security_desc: sd_size = 384.
> smbd_marshall_security_desc: sd_size = 20.
> smbd_marshall_security_desc: sd_size = 440.
> smbd_marshall_security_desc: sd_size = 20.
> smbd_marshall_security_desc: sd_size = 48.
> smbd_marshall_security_desc: sd_size = 20.
> smbd_marshall_security_desc: sd_size = 440.
> smbd_marshall_security_desc: sd_size = 20.
> smbd_marshall_security_desc: sd_size = 384.
> smbd_marshall_security_desc: sd_size = 20.
> smbd_marshall_security_desc: sd_size = 440.
> smbd_marshall_security_desc: sd_size = 20.
> smbd_marshall_security_desc: sd_size = 384.
> smbd_marshall_security_desc: sd_size = 76.
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at source3/smbd/smb2_setinfo.c:142
> From: samba <samba-bounces at lists.samba.org> on behalf of Luis Peromarta via samba <samba at lists.samba.org>
> Sent: Thursday, April 10, 2025 14:37
> To: Samba List <samba at lists.samba.org>
> Subject: Re: [Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL
>
> Unsure about podman but with LXC, container must be privileged.
>
>
> On 10 Apr 2025 at 08:31 +0200, NN 708 via samba <samba at lists.samba.org>, wrote:
> > Hello,
> >
> > I am encountering an issue while attempting to configure a minimal Samba file server with Windows ACL support in a containerized environment.
> >
> > Environment:
> > Container runtime: Podman 5.4.0
> > Base image: docker.io/library/debian:trixie-slim (Debian Trixie)
> > Samba version: 4.22.0
> >
> > Configurations:
> > 1. Join the domain using: samba-tool domain join mydomain.com MEMBER -U Administrator
> >
> > 2. /etc/samba/smb.conf:
> > # Global parameters
> > [global]
> > realm = MYDOMAIN.COM
> > server role = member server
> > workgroup = MYDOMAIN
> > idmap config * : backend = autorid
> > idmap config * : rangesize = 10000
> > idmap config * : range = 10000-59999
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > [users]
> > path = /share/users
> > read only = no
> >
> > 3. Tried both:
> > # chown root:"MYDOMAIN\Domain Admins" /share/users
> > # chown "MYDOMAIN\Administrator":"MYDOMAIN\Domain Admins" /share/users
> >
> > Despite successful file read/write operations, permission changes on Windows fail with the error: "Failed to Enumerate Objects in the Container. Access is denied."
> >
> > Any guidance would be greatly appreciated.
> >
> > Best regards,
> > NN708
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list