[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges

Rowland Penny rpenny at samba.org
Thu Apr 18 14:07:00 UTC 2024 

On Thu, 18 Apr 2024 12:14:20 +0200
Jarosław Kłopotek - INTERDUO via samba <samba at lists.samba.org> wrote:

> W dniu 18.04.2024 o 12:01, Jarosław Kłopotek - INTERDUO via samba
> pisze:
> >
> > W dniu 18.04.2024 o 09:56, Rowland Penny via samba pisze:
> >> On Thu, 18 Apr 2024 09:03:10 +0200
> >> Jarosław Kłopotek - INTERDUO via samba<samba at lists.samba.org>
> >> wrote:
> >>
> >>> Hi all,
> >>>
> >>> I run cmd:
> >>> samba-tool gpo manage scripts startup add \
> >>> {31B2F340-016D-11D2-945F-00C04FB984F9} \
> >>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat
> >> Are you running the command as root or with sudo ?
> > as root
> >>> with result:
> >>> [cut]
> >>> ERROR: The authenticated user does not have sufficient privileges
> >>>     File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py",
> >>> line 3230, in run
> >>>       create_directory_hier(conn, vgp_dir)
> >>>     File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py",
> >>> line 383, in create_directory_hier
> >>>       conn.mkdir(path)
> >>> signed SMB2 message (sign_algo_id=2)
> >>>
> >>> I tried also this cmd with -UAdministrator but the same error
> >>> appears.
> >>>
> >>> Is this normal?
> >>> If yes where to configure this permissions?
> >> What version of Samba are you using, there have been a few updates
> >> in the area that is failing for you.
> > ii  samba                    2:4.17.12+dfsg-0+deb12u1 amd64
> > SMB/CIFS file, print, and login server for Unix
> > ii  samba-ad-provision       2:4.17.12+dfsg-0+deb12u1 all Samba
> > files needed for AD domain provision
> > un  samba-client             <none> <none>       (no description 
> > available)
> > ii  samba-common             2:4.17.12+dfsg-0+deb12u1 all common
> > files used by both the Samba server and cli>
> > ii  samba-common-bin         2:4.17.12+dfsg-0+deb12u1 amd64 Samba 
> > common files used by both the server and the>
> > ii samba-dsdb-modules:amd64 2:4.17.12+dfsg-0+deb12u1 amd64 Samba 
> > Directory Services Database
> > ii samba-libs:amd64         2:4.17.12+dfsg-0+deb12u1 amd64 Samba
> > core libraries
> > un  samba-testsuite          <none> <none>       (no description 
> > available)
> > ii samba-vfs-modules:amd64  2:4.17.12+dfsg-0+deb12u1 amd64 Samba 
> > Virtual FileSystem pluginsIn other words use newest available in 
> > Debian 12 stable repo.
> 
> Additionally I tested samba from unstable repository
> 
> Other lines errored:
> ERROR: The authenticated user does not have sufficient privileges
>    File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
> 3571, in run
>      create_directory_hier(conn, vgp_dir)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/gpcommon.py",
> line 39, in create_directory_hier
>      conn.mkdir(path)
> 
> dpkg -l samba*
> ii  samba                    2:4.19.6+dfsg-1 amd64        SMB/CIFS
> file, print,>
> ii  samba-ad-provision       2:4.19.6+dfsg-1 all          Samba files 
> needed fo>
> un  samba-client             <none> <none>       (no description
> avail> ii  samba-common             2:4.19.6+dfsg-1 all
> avail> common files 
> used by >
> ii  samba-common-bin         2:4.19.6+dfsg-1 amd64        Samba
> common files us>
> ii  samba-dsdb-modules:amd64 2:4.19.6+dfsg-1 amd64        Samba 
> Directory Servi>
> ii  samba-libs:amd64         2:4.19.6+dfsg-1 amd64        Samba core 
> libraries
> un  samba-testsuite          <none> <none>       (no description
> avail> ii  samba-vfs-modules:amd64  2:4.19.6+dfsg-1 amd64
> avail> Samba Virtual 
> FileS
> 

OK, After reading the commands help, I created a simple script and ran
the command like this:

adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh -Uadministrator

After being prompted for the Administrator password, the command
appeared to complete without error.

However, I couldn't find the script in sysvol on the DC I ran the
command on, but after checking the other two DCs, I found this:

adminuser at rpidc2:~ $ sudo cat /var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/Unix/Scripts/Startup/test_script.sh
#!/bin/bash

echo "Hello World"

exit 0

I have no idea why the script was created on another DC instead of the
DC the command was run on, the DC uses itself for its nameserver.

Rowland

More information about the samba mailing list