[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges
Kees van Vloten
keesvanvloten at gmail.com
Fri Apr 19 11:36:51 UTC 2024
On 19-04-2024 13:10, Jarosław Kłopotek - INTERDUO via samba wrote:
>
> W dniu 19.04.2024 o 11:00, Kees van Vloten via samba pisze:
>>
>> On 19-04-2024 10:33, Jarosław Kłopotek - INTERDUO via samba wrote:
>>> W dniu 19.04.2024 o 09:59, Jarosław Kłopotek - INTERDUO via samba
>>> pisze:
>>>> W dniu 18.04.2024 o 18:11, David Mulder via samba pisze:
>>>>> On 4/18/24 1:03 AM, Jarosław Kłopotek - INTERDUO via samba wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I run cmd:
>>>>>> samba-tool gpo manage scripts startup add \
>>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \
>>>>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat
>>>>>>
>>>>>> with result:
>>>>>> [cut]
>>>>>> ERROR: The authenticated user does not have sufficient privileges
>>>>>> File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>>>> 3230, in run
>>>>>> create_directory_hier(conn, vgp_dir)
>>>>>> File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>>>> 383, in create_directory_hier
>>>>>> conn.mkdir(path)
>>>>>> signed SMB2 message (sign_algo_id=2)
>>>>>
>>>>> You've authenticated an SMB session, and your user is attempting
>>>>> to create a directory on the share, but is getting a permissions
>>>>> error. If this is happening for the Administrator, then you
>>>>> clearly have a permissions issue on your sysvol share. Try running
>>>>> `samba-tool ntacl sysvolreset`.
>>>> This not helped ... but adding read only = no in [sysvol] share
>>>> helped.
>>>> Thanks for leading to solution.
>>> And I also changed -UAdministrator to -Uadministrator.
>> It looks like it fails on "conn.mkdir(path)", i.e. creating a directory.
>> This is a filesystem operation happening over smb, i.e. filesystem
>> permissions apply.
>>
>> Did you check that the permissions (mode permissions, posix-acls,
>> nt-acls) on directory are correct? This can be fixed by running
>> "samba-tool ntacl sysvolreset".
> I did sysvolreset.
>> Did you check that idmapping of your user is the same on all DCs
>> including the content of "/var/lib/samba/private/idmap.ldb"? More
>> info on idmap.ldb:
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
>
> Yes. The cmd for adding script is working now.
>
> I removed startup script by samba-tool and added it using gpmc.msc
> from Windows client. Script uploaded to Samba.
>
> I did a reboot of windows client but GPO was not applied.
> How to diagnose that?
>
Force gpo update: gpupdate /force
Check result: gpresult /r
Debugging of the processing of GPOs:
Enable debug:
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t REG_DWORD /d 196610
if not exist c:\windows\debug\usermode mkdir c:\windows\debug\usermode
Windows will create a debug log file: C:\Windows\Debug\Usermode\gpsvc.log
- Kees.
More information about the samba
mailing list