[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges
David Mulder
dmulder at samba.org
Thu Apr 18 16:30:52 UTC 2024
On 4/18/24 10:22 AM, Rowland Penny via samba wrote:
> I used sudo because when I first ran it without sudo, I got this:
>
> adminuser at tmpdc1:~ $ samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> ERROR: Error connecting to 'rpidc2.samdom.example.com' using SMB
Well that's odd. That shouldn't be necessary.
> I then ran it with sudo but without '-Uadministrator and got this:
>
> adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, in _run
> return self.run(*args, **kwargs)
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 3519, in run
> reg = RegistryGroupPolicies(gpo, self.lp, self.creds, self.samdb, H)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/policies.py", line 77, in __init__
> ds_sd_ndr = msg['nTSecurityDescriptor'][0]
> ~~~^^^^^^^^^^^^^^^^^^^^^^^^
>
> Finally running it with sudo and '-Uadministrator' appeared to work.
Hrm, looks like a bug to me.
> The thing is, if Samba had a working way of syncing sysvol between DCs,
> it wouldn't matter, but I would image that users would like to do
> everything on one DC (probably the one with the PDC_Emulator FSMO role)
> and then sync sysvol to all other DCS. If the gpo commands are creating
> things on other DCs, then that isn't going to work.
That's a good point. There was some progress fixing this at some point,
but I don't recall what happened with that. I think perhaps you can
force it to use the local host via the '-H' option.
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
More information about the samba
mailing list