[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges

David Mulder dmulder at samba.org
Thu Apr 18 16:30:52 UTC 2024 

On 4/18/24 10:22 AM, Rowland Penny via samba wrote:
> I used sudo because when I first ran it without sudo, I got this:
>
> adminuser at tmpdc1:~ $ samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> ERROR: Error connecting to 'rpidc2.samdom.example.com' using SMB
Well that's odd. That shouldn't be necessary.
> I then ran it with sudo but without '-Uadministrator and got this:
>
> adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 3519, in run
>      reg = RegistryGroupPolicies(gpo, self.lp, self.creds, self.samdb, H)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/policies.py", line 77, in __init__
>      ds_sd_ndr = msg['nTSecurityDescriptor'][0]
>                  ~~~^^^^^^^^^^^^^^^^^^^^^^^^
>
> Finally running it with sudo and '-Uadministrator' appeared to work.
Hrm, looks like a bug to me.
> The thing is, if Samba had a working way of syncing sysvol between DCs,
> it wouldn't matter, but I would image that users would like to do
> everything on one DC (probably the one with the PDC_Emulator FSMO role)
> and then sync sysvol to all other DCS. If the gpo commands are creating
> things on other DCs, then that isn't going to work.
That's a good point. There was some progress fixing this at some point, 
but I don't recall what happened with that. I think perhaps you can 
force it to use the local host via the '-H' option.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com

More information about the samba mailing list