Error Enumerating on a directory I own via SMB (CLI OK)

[Sid Young]

Hi all,

I have a strange issue where I am a member of a group that has full control of a directory:

/ifs/FS01/Projects/Group_Projects

The Group_Projects has inheritance disabled two groups:

 - Project_Admins AD group (which has dir_gen_all, object_inherit,container_inherit (Folder owner is root:wheel)

 - Project_Members AD Group (dir_gen_read, dir_gen_execute) No inheritance... so member can see the directories and only access ones that they are a member of.

I create a folder in Group_Projects with no issues (Project_1234) and it now has permissions :

 - Project_Admins

 - syoung

I want to add another user, but when I try to apply the user and the set permissions I get and SMB error "Error enumerating Objects"

I am puzzled as to why my "syoung" basic AD account cannot apply permissions even when it owns the folder and is in the group that owns the parent folder.

Thanks in advance

Sid

[Ebert, Michael]

I find that permissions work flawlessly when they are all from a single auth source.  If you use the Microsoft MMC to set the owner, NTFS and share to an AD user or group, there are no such issues.  root will still have access in the cli, as it is root, unless specifically denied.

Michael Ebert

Storage Team Supervisor

State of West Virginia

Department of Administration

Office of Technology

 

1900 Kanawha Blvd East

Building 5, 10th Floor

Charleston, WV  25305

 

304.352.5283 Voice

 

No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced.

 

"Notice of Confidentiality" The information contained in this e-mail message is intended for the use of the individual or entity named above.  If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copy of the communication is strictly prohibited.

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/c2713301-e5d8-42ae-bf39-225fc5cb5976n%40googlegroups.com.

[Sid Young]

All auth is from a single Windows AD server,

Sid

You received this message because you are subscribed to a topic in the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/isilon-user-group/Q7jpjoxX04E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to isilon-user-gr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/CAJC%2B8umtZ_3mtoqVKo3pE72qfuSwG2N6_ajOHYSwn-aU3%2BVgfw%40mail.gmail.com.

[Ebert, Michael]

You said the files/dirs were owned by root:wheel, correct?

Michael Ebert

Storage Team Supervisor

State of West Virginia

Department of Administration

Office of Technology

 

1900 Kanawha Blvd East

Building 5, 10th Floor

Charleston, WV  25305

 

304.352.5283 Voice

 

No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced.

 

"Notice of Confidentiality" The information contained in this e-mail message is intended for the use of the individual or entity named above.  If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copy of the communication is strictly prohibited.

To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/CAEZ%2BgOzcyRy2aGnQb172R3NbVMtRUw3ZhBXF-eE5RXgeCW%2B2GQ%40mail.gmail.com.

[Sid Young]

Correct but the ACL's are Windows AD users/groups. The Isilon is set to merge the ACL and Unix, we have 100 million files most with root:wheel, but we use the Windows ACL's to control it... the UNIX level permission is not the issue, even if I set it to the user/group using chown "AD\user":"AD\group" <dir> I still get the enumeration error. 

Sid

To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/CAJC%2B8umsaASVo8ote8CEz%3D%2BdTcrSrdFgWDd3iDKPJa0VyrGtCA%40mail.gmail.com.

[Alistair Stewart]

The fact that your account is the owner makes no real difference to anything in AD, unlike POSIX permissions. You account still needs permission to access/change/delete the file, even if it "owns" it.

Al…

[Ebert, Michael]

Do you have access based enumeration turned on for the shares?

Michael Ebert

Storage Team Supervisor

State of West Virginia

Department of Administration

Office of Technology

 

1900 Kanawha Blvd East

Building 5, 10th Floor

Charleston, WV  25305

 

304.352.5283 Voice

 

No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced.

 

"Notice of Confidentiality" The information contained in this e-mail message is intended for the use of the individual or entity named above.  If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copy of the communication is strictly prohibited.

To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/CAEZ%2BgOzj5hF176wNrc36xFHgpQs3zktUE_NPm5RswinTGmCgng%40mail.gmail.com.

[Sid Young]

No ABE  is off.

To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/CAJC%2B8umSpxuT7ZOoK6X9iYk_wH7a7UPT7CSJCf3GgSXFhy7kGg%40mail.gmail.com.