[Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL

NN 708 nn708 at outlook.com
Fri Apr 11 06:13:11 UTC 2025 

Thanks for the detailed explanation. It sounds like this won't be trivial to resolve. I'll stick with a privileged container for now.
________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Jonathan Kreider via samba <samba at lists.samba.org>
Sent: Thursday, April 10, 2025 20:03
To: Samba List <samba at lists.samba.org>
Subject: Re: [Samba] "Failed to Enumerate Objects in the Container. Access is denied." with Windows ACL

On Thu, Apr 10, 2025, 6:00 AM Luis Peromarta via samba <
samba at lists.samba.org> wrote:

> I don’t think I can be of any more help as I am no container expert.
> On 10 Apr 2025 at 11:45 +0200, NN 708 <nn708 at outlook.com>, wrote:
> > Thanks for the information! I can confirm it works in a privileged
> container.
> >
> > However, I'm still curious—since both getfacl and setfacl work in a
> rootless container, what specific action requires root privileges?
>

The issue with Windows ACLS in a non-privileged container is that Samba
stores the ACLs in the security.ntacls namespace. Since the security
namespace is privileged, meaning host root access only, using samba's
Windows ACLs in a non-privileged container will not work.

I've been eagerly awaiting full support for Windows ACLS in a non-privilege
container for years now. FreeBSD supports it with the ZFS file system, and
perhaps others. Full nfsv 4 ACL support in Linux would be quite welcome for
me, but others who have more say so (Linus Torvalds) have other views on
this matter.

Open ZFS is working on this, and there are some patches floating about. But
nothing has hit the mainstream to my knowledge.

>
> > Related log:
> > Allowed connection from *.*.*.*
> > make_connection_snum: Connect path is '/tmp' for service [IPC$]
> > Initialising default vfs hooks
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > Initialising custom vfs hooks from [acl_xattr]
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service IPC$
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at source3/smbd/smb2_create.c:393
> > smbd_marshall_security_desc: sd_size = 20.
> > smbd_marshall_security_desc: sd_size = 384.
> > smbd_marshall_security_desc: sd_size = 20.
> > smbd_marshall_security_desc: sd_size = 440.
> > smbd_marshall_security_desc: sd_size = 20.
> > smbd_marshall_security_desc: sd_size = 48.
> > smbd_marshall_security_desc: sd_size = 20.
> > smbd_marshall_security_desc: sd_size = 440.
> > smbd_marshall_security_desc: sd_size = 20.
> > smbd_marshall_security_desc: sd_size = 384.
> > smbd_marshall_security_desc: sd_size = 20.
> > smbd_marshall_security_desc: sd_size = 440.
> > smbd_marshall_security_desc: sd_size = 20.
> > smbd_marshall_security_desc: sd_size = 384.
> > smbd_marshall_security_desc: sd_size = 76.
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] || at source3/smbd/smb2_setinfo.c:142
> > From: samba <samba-bounces at lists.samba.org> on behalf of Luis Peromarta
> via samba <samba at lists.samba.org>
> > Sent: Thursday, April 10, 2025 14:37
> > To: Samba List <samba at lists.samba.org>
> > Subject: Re: [Samba] "Failed to Enumerate Objects in the Container.
> Access is denied." with Windows ACL
> >
> > Unsure about podman but with LXC, container must be privileged.
> >
> >
> > On 10 Apr 2025 at 08:31 +0200, NN 708 via samba <samba at lists.samba.org>,
> wrote:
> > > Hello,
> > >
> > > I am encountering an issue while attempting to configure a minimal
> Samba file server with Windows ACL support in a containerized environment.
> > >
> > > Environment:
> > > Container runtime: Podman 5.4.0
> > > Base image: docker.io/library/debian:trixie-slim (Debian Trixie)
> > > Samba version: 4.22.0
> > >
> > > Configurations:
> > > 1. Join the domain using: samba-tool domain join mydomain.com MEMBER
> -U Administrator
> > >
> > > 2. /etc/samba/smb.conf:
> > > # Global parameters
> > > [global]
> > > realm = MYDOMAIN.COM
> > > server role = member server
> > > workgroup = MYDOMAIN
> > > idmap config * : backend = autorid
> > > idmap config * : rangesize = 10000
> > > idmap config * : range = 10000-59999
> > > vfs objects = acl_xattr
> > > map acl inherit = yes
> > > [users]
> > > path = /share/users
> > > read only = no
> > >
> > > 3. Tried both:
> > > # chown root:"MYDOMAIN\Domain Admins" /share/users
> > > # chown "MYDOMAIN\Administrator":"MYDOMAIN\Domain Admins" /share/users
> > >
> > > Despite successful file read/write operations, permission changes on
> Windows fail with the error: "Failed to Enumerate Objects in the Container.
> Access is denied."
> > >
> > > Any guidance would be greatly appreciated.
> > >
> > > Best regards,
> > > NN708
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list