[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges

Rowland Penny rpenny at samba.org
Thu Apr 18 16:22:37 UTC 2024 

On Thu, 18 Apr 2024 10:05:39 -0600
David Mulder via samba <samba at lists.samba.org> wrote:

> 
> On 4/18/24 8:07 AM, Rowland Penny via samba wrote:
> > OK, After reading the commands help, I created a simple script and
> > ran the command like this:
> >
> > adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add
> > {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> > -Uadministrator
> There is no reason to run this command as root. It operates via SMB,
> not on local files.

I used sudo because when I first ran it without sudo, I got this:

adminuser at tmpdc1:~ $ samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
ERROR: Error connecting to 'rpidc2.samdom.example.com' using SMB

I then ran it with sudo but without '-Uadministrator and got this:

adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 3519, in run
    reg = RegistryGroupPolicies(gpo, self.lp, self.creds, self.samdb, H)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/policies.py", line 77, in __init__
    ds_sd_ndr = msg['nTSecurityDescriptor'][0]
                ~~~^^^^^^^^^^^^^^^^^^^^^^^^

Finally running it with sudo and '-Uadministrator' appeared to work.

> > After being prompted for the Administrator password, the command
> > appeared to complete without error.
> >
> > However, I couldn't find the script in sysvol on the DC I ran the
> > command on, but after checking the other two DCs, I found this:
> >
> > adminuser at rpidc2:~ $ sudo cat
> > /var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/Unix/Scripts/Startup/test_script.sh
> > #!/bin/bash
> >
> > echo "Hello World"
> >
> > exit 0
> >
> > I have no idea why the script was created on another DC instead of
> > the DC the command was run on, the DC uses itself for its
> > nameserver.
> We've had this discussion before. This command does not run on the 
> current host, it contacts *one of the DCs* and sets it there. It
> should then be replicated to the others.
> 

The thing is, if Samba had a working way of syncing sysvol between DCs,
it wouldn't matter, but I would image that users would like to do
everything on one DC (probably the one with the PDC_Emulator FSMO role)
and then sync sysvol to all other DCS. If the gpo commands are creating
things on other DCs, then that isn't going to work.

Rowland

More information about the samba mailing list