[Samba] samba-tool gpo create as user in "Group Policy Creator Owners" is missing permissions
Kees van Vloten
keesvanvloten at gmail.com
Mon Feb 7 13:19:26 UTC 2022
Hi Team,
(On samba 4.15.5 on Bullseye from Louis' repo)
I am trying to create a GPO as a user in "Group Policy Creator Owners":
samba-tool gpo create 'testgpo' --user=gpo_manager --password=<password>
Using temporary directory /tmp/tmp_a869azf (use --tmpdir to change)
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <acl: unable to get access to
CN={B4C8AF24-50C5-400C-B823-4AF8727AD8E6},CN=Policies,CN=System,DC=composers,DC=lan
> <>
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1244,
in run
self.samdb.add(m)
As a result the GPO is not created on the filesystem nor in ldap.
From here: Microsoft - Delegating creation of GPOs
<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)#delegating-creation-of-gpos>
I read:
"
The ability to create GPOs in a domain is a permission that is managed
on a per-domain basis. By default, only members of the Domain Admins,
Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can
create new GPOs.
"
Is it not true that the permissions provided by membership of group
"Group Policy Creator Owners" is sufficient to create GPOs on Samba?
- Kees
More information about the samba
mailing list