Web lists-archives.com

Re: [Samba] Failed to enumerate objects in the container. Access is denied.




I've commented inbetween the lines, but first do what Rowland already told you. 

When done, read on, some other pointers. 

 

... 

> 

> Dear colleagues and samba-experts,

> 

> I installed a samba-file-server as a samba domain-member using debian

> jessie-packages, following the samba-manual "Setting up Samba as a Domain

> Member".

> 

> I can access the shares and create files but there are issues concerning

> security.

> 

> As proposed I am using RSAT (on a german Windows 10 Pro, logged in as

> Domain Administrator) to set details concerning the shares.

> 

> When for example I want to remove "everyone" from accessing a share and

> try to save it, I receive the following message:

 

Ok, before you remove it add "authenticated users”, with full controll to the "SHARE" security. 

Klik apply, remove everyone, if that does not work, reboot your pc first or logout/login again. 

 

 

> 

> ---

> german:

> 

> Fehler beim Anwenden der Sicherheit

> 

> Fehler beim Anwenden von Sicherheitsinformationen auf:

> 

> \\samba-fs\museum.rubens.world\mrtx

Is this correct because based on your smb.conf i would expect. Typo? 

\\samba-fs.museum.rubens.world\mrtx

 

> There is another error message I receive but I guess it does not have to

> do with it - when joining the domain I receive these error messages:

> 

> ---

> 

> root@samba-fs:~# net ads join -U administrator

> Enter administrator's password:

> Using short domain name -- RUBENS

> Joined 'SAMBA-FS' to dns domain 'museum.rubens.world'

> DNS Update for samba-fs.museum.rubens.world failed:

> ERROR_DNS_UPDATE_FAILED

> DNS update failed: NT_STATUS_UNSUCCESSFUL

> 

 

Check your dns if the correct record exists. 

 

 

> ---

> 

> I followed the guides "Troubleshooting Samba Domain Members" and "Testing

> Dynamic DNS Updates"

> 

> On both dc's I get the following:

> 

> ---

> 

> root@dc2:~# samba_dnsupdate --verbose --all-names

> 

> IPs: ['192.168.0.242']

> Calling nsupdate for A dc2.museum.rubens.world 192.168.0.242 (add)

> Outgoing update query:

> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

> ;; UPDATE SECTION:

> dc2.museum.rubens.world. 900     IN    A     192.168.0.242

> 

> ; TSIG error with server: tsig verify failure

> Failed nsupdate: 2

> Calling nsupdate for A museum.rubens.world 192.168.0.242 (add)

> Outgoing update query:

> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

> ;; UPDATE SECTION:

> museum.rubens.world.  900   IN    A     192.168.0.242

> 

> [...]

> 

> ; TSIG error with server: tsig verify failure

> Failed nsupdate: 2

> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-

> Name._sites.ForestDnsZones.museum.rubens.world dc2.museum.rubens.world 389

> (add)

> Outgoing update query:

> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

> ;; UPDATE SECTION:

> _ldap._tcp.Default-First-Site-

> Name._sites.ForestDnsZones.museum.rubens.world. 900 IN SRV 0 100 389

> dc2.museum.rubens.world.

> 

> ; TSIG error with server: tsig verify failure

> Failed nsupdate: 2

> Failed update of 26 entries

> 

> ---

> 

> This seems to be a harmless bug:

> https://lists.samba.org/archive/samba/2015-March/190408.html

> 

> But it may be related to the problem.

> 

> 

> I updated from debian jessie to stretch, hoping to improve the situation,

> but that did not help.

> 

> the domain controllers run Samba 4.2.14-Debian.

If you want you can safely upgrade your DC’s with my 4.5.3 packages. 

 

> 

> My samba-fs-Setup:

> 

> 

> root@samba-fs:~# samba -V

> Version 4.5.6-Debian

> 

> ---

> 

> root@samba-fs:~# cat /etc/krb5.conf

> [libdefaults]

>     default_realm = MUSEUM.RUBENS.WORLD

>     dns_lookup_realm = false

>     dns_lookup_kdc = true

> 

> ---

> 

> root@samba-fs:~# cat /etc/resolv.conf

> search museum.rubens.world

> nameserver 192.168.0.241

Add the second DC also.

 

 

> 

> ---

> root@samba-fs:~# cat /etc/hosts

> 127.0.0.1 localhost

> 192.168.0.243   samba-fs.museum.rubens.world samba-fs

> 

> # The following lines are desirable for IPv6 capable hosts

> ::1     localhost ip6-localhost ip6-loopback

> ff02::1 ip6-allnodes

> ff02::2 ip6-allrouters

> 

> ---

> 

> root@samba-fs:~# cat /etc/samba/smb.conf

> [global]

>        workgroup = RUBENS

>        realm = MUSEUM.RUBENS.WORLD

>        netbios name = SAMBA-FS

>        security = ADS

>        encrypt passwords = yes

> 

>        log file = /var/log/samba/%m.log

>        log level = 1

> 

>        idmap config * : backend = tdb

>        idmap config * : range = 70000-79999

>        idmap config RUBENS:backend = rid

>        idmap config RUBENS:schema_mode = rfc2307


If you use RID, remove "idmap config RUBENS:schema_mode = rfc2307" 

 

>        idmap config RUBENS:range = 3000000-4000000

> 

>        map untrusted to domain = yes

> 

>        winbind nss info = rfc2307

>        winbind trusted domains only = no

>        winbind use default domain = yes

>        winbind enum users = yes

>        winbind enum groups = yes

> 

>        vfs objects = acl_xattr

>        map acl inherit = yes

>        store dos attributes = yes

>        username map = /etc/samba/user.map

> 

>        guest account = nobody

>        printing = bsd

>        printcap name = /etc/printcap

> 

> [gf]

>        path = /fs/gf

>        read only = no

>        admin users = "@RUBENS\Domain Admins"

Are you setting up with POSIX ACL or Windows ACL? 

If windows ACl, remove admin users = "@RUBENS\Domain Admins"

And set it from withing windows. 

 

Im wondering if a username map is allowed in a share? I dont know that. 

 

 

> 

> ---

> 

> root@samba-fs:~# net rpc rights list privileges SeDiskOperatorPrivilege -U

> "RUBENS\administrator"Enter RUBENS\administrator's password:

> SeDiskOperatorPrivilege:

>   RUBENS\Administrator

>   RUBENS\domain admins

>   BUILTIN\Administrators

 

This is not how to set it. 

You only need :  BUILTIN\Administrators

Because "RUBENS\domain admins" is member of " BUILTIN\Administrators" 

And "RUBENS\Administrator" is member of "RUBENS\domain admins"

 

 

If the server isnt in production yet. 

 

Try the following on the samba-fs, remove it from the domain, cleanup, and re-add it. 

 

Stop samba winbind smbd nmbd. 

 

#Login: 

kinit Administrator 

 

#leave the domain.

net ads remove -k

 

#cleanup. 

mv /etc/krb5.keytab{,.old}  

rm /var/lib/samba/*.tdb

rm /var/lib/samba/private*.tdb

rm /var/cache/samba/*.tdb

rm /var/cache/samba/*.dat

 

#dns mananager: 

Now check your dns if there still is an dns A record for this host. 

If it is, remove it. 

 

#AD user/computers. 

Remove the computer samba-fs there also. 

 

#Wait a min.

 

Now add the samba-fs again. 

 

net ads join -k 

 

 

and see what happens then. 

 

 

Greetz, 

 

Louis

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba