Web lists-archives.com

Re: [Samba] Failed to enumerate objects in the container. Access is denied.




Hai, 

I see Rowland helped a bit already and good things going here.. 
For you setup, this is how i do my setup. 

First your data path

/fs/gf
/fs/othere_path.. 

I normaly start with : 
chmod 2775 /fs
chown root:"Domain Admins" 
( optional share \\server\fs$ ) 

chmod 2775 /fs/gf 
chown root:"Domain Admins"
( or chmod -R ...  but i dont know if you already did setup more ) 
( share \\server\gf )

Connect from within windows to the share and setup the following. 

Start with the SHARE SECURITY. 
Setup the Share rights with Or authenticated users or Everyone with "Full Contol".  *( or set both ) 

And no, this is not insecure, the folder rights protect the write access for everyone and authenticated users.  You always need at least one of these if you do more that a data only share.  ( like software deploying, etc ) 

Next security tab, 

Creator Owner  (special rights)(optional, use creator group is preffered ) 
But as base you need to have minimal. 

Group Owner  (special rights)
Domain Admins (Full control)
YOUR_SPECIAL_GROUP (change) 

Optional depending on needs like GPO things also, software deploy, then these 2 are a must

SYSTEM (full controll)
Verified users ( read ) 

Now In case of  /fs/gf 
After you have set above, dont use chmod any more. 
Do this from withing windows.

And optional you can setup with. 
acl_xattr:ignore system acl = yes 
but think before you set that one, if you set, apply/check all of the above  again. 

Now last. 
On the security tab, klik advanced. 
In above setup, the owner should be root. That is correct keep it.

Klik on change permissions. 
( optional ) Remove the checkmark from "Include inheritable permissions from this objects perent"
And set the other one. (Obligated)
Apply.

Im assuming you kept the default "primary group" in the AD, for the users. 
So it should be "domain users" . 

The setup works as followed. 

Share rights, allows everyone ( and or authenticated users)  to connect and write over the share.

Security rights, allows only that what is set to write, 
This is mixed with  the share right. 
And blockes the everyone/authentiacted from the share, exept the

The "Special" right sets the needed group to allow writes/overwrites in that folder.

This is a bit how i setup. 
Try it and let us know if its working.


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens martin via samba
> Verzonden: donderdag 30 maart 2017 18:11
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Failed to enumerate objects in the container.
> Access is denied.
> 
> > Rowland Penny <rpenny@xxxxxxxxx> hat am 30. März 2017 um 17:40
> geschrieben:
> 
> > OK, try this, change the ownership of both dirs to root:Domain Admins
> >
> > Then go and follow this wikipage:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> Ok, just did that. i have been always trying to follow this manual, to the
> point "Select the security Tab". This worked exactly once, only the first
> time, after new setup. The second time I just see a window telling me i
> was not allowed to change anything. And when I try to save it, I get the
> well known error message. Or it sometimes does not complain but simply
> does not remember anything.
> 
> I guess there must be something not up to date beingaccessed on the AD's.
> What I do in RSAT does not seem to have any influence after the first
> time. And these strange artifacts in getent like 134 or 040 (by the way
> after doing
> chown -R root:"RUBENS\domain admins" /fs/gf/  )
> 
> root@fs:~# getfacl /fs/gf/
> getfacl: Entferne führende '/' von absoluten Pfadnamen
> # file: fs/gf/
> # owner: root
> # group: RUBENS\134domain\040admins
> user::rwx
> user:root:rwx
> group::r-x
> group:root:r-x
> group:RUBENS\134gf:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:RUBENS\134gf:rwx
> default:group::r-x
> default:group:root:r-x
> default:group:RUBENS\134gf:rwx
> default:mask::rwx
> default:other::---
> 
> ---
> 
> I have no clue how to go on, looks like a dead end to me.
> 
> I appreciate your patience very much.
> 
> martin
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba