Failed to Enumerate Objects in the Container. Access Denied

Good-day Folks,

So, I'm fairly new to OMV and I'm really loving my first deployment of it to support a small network for my church. I'm having a small problem with permissions and I'd like to solicit the community's help. I've already read through about half of the threads in this section of the forum, but none seem to address my issue particularly. Thus, in the interest of time, I decided to post a new thread. Please forgive me if this may have already been asked and answered, and kindly point me to it.

My Environment:

1. Two Domain Controllers (Windows Server 2022)
2. OMV Version 6.0.46-5 (Shaitan) running Linux 5.19.17-1-pve kernel
3. Users & Groups coming from Active Directory
4. ZFS Filesystem (using the openmediavault-zfs plugin, Version 6.0.12)
5. Windows 10 Pro Clients (version 22H2, Build 19045.2251)

My Goals:

1. A Single Shared Folder (exposed to "Domain Users" with Read-Only and "Domain Admins" with Read-Write permissions)
2. Use Group Policy to map a network drive which points to the single shared folder from #1 for all "Domain Users"
3. "Domain Admins" should have the ability to create sub-folders from a Windows Client and manage the permissions from there

Thus far, I have been successful in implementing #1 and #2. However, #3 is eluding me with mixed results. While I am able to log into a domain controller (as a Domain Admin) and see the network drive successfully mapped, and I'm able to create subfolders, I am not able to change the permissions on those subfolders. I'm being hit with the following error whenever I try:

My environment is primarily comprised of Windows 10 clients, so I do not foresee any need for any of my users or admins, for that matter, to ever have a need to access the share from the CLI of the OMV Server or from another Linux host. The likelihood is low, but possible and I'll cross that bridge when I get there. But for now, my focus is to make sure that a Domain Admin can create subfolders and manage the permissions from their Windows Client.

Am I asking OMV to do something it is not designed to do? Or is there something I'm missing?

Update (as of 0700 on 11/23/2022):

Here's what I've one since the original posting of my question.

I came upon this article in the Samba Wiki, which mentioned that in order to be able to manage share permissions from a Windows host, the user account being used to do this must possess the SeDiskOperatorPrivilege privilege. So I followed the guide to grant my Domain Admins group this privilege, as well as adding the acl_xattr:ignore system acls = yes parameter to the share settings via the OMV Web UI. I have rebooted the OMV Server to confirm that Samba is reloaded, but I'm still facing the access denied message when attempting to manage permissions from a Windows client.

Hi all, just checking in to see if I can get some help with my issue above?

You wouldn't believe this. I got so excited to see a response and ran to the server to get you the information you requested, just to find that all my users and groups from AD are no longer showing in the web UI.

I need to troubleshoot that and will be back with the permissions information you requested, thanks.

Zitat von ryecoaaron

Don't get too excited. I hate Windows and AD (especially when connecting a Linux system to it) and don't use samba much anymore lol.

Hahaha! I will try not to take that too personally.....I suspect you wouldn't give a rat's a** anyway...lol. I'm primarily a Windows SysAdmin who manages hybrid Windows/RHEL systems for a living, so I know just enough of Linux to be dangerous but not enough to get me out of jams like this one.

Still trying to figure out why all of a sudden I'm seeing this:

sssctl domain-status mydomain.net
Online status: Online

Active servers:
AD Global Catalog: not connected
AD Domain Controller: dc02.mydomain.net

Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- dc02.mydomain.net
- dc01.mydomain.net

Zitat von ryecoaaron

Are you sure your keytab is still good? What do the sssd logs say?

Honestly, I'm not sure. The sssd.log file doesn't show any errors,.

I just used realm leave -U myusername and realm join -U myusername mydomain to successfuly leave the domain and joined back to it, and I watched the computer object get deleted and recreated on the two domain controllers.

Looks like a challenge for me, I will dedicate sometime to figuring out what's wrong while resisting the temptation to simply blow away the server and start over from scratch....lol.