[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges

Kees van Vloten keesvanvloten at gmail.com
Thu Apr 18 16:45:09 UTC 2024 

On 18-04-2024 18:30, David Mulder via samba wrote:
>
> On 4/18/24 10:22 AM, Rowland Penny via samba wrote:
>> I used sudo because when I first ran it without sudo, I got this:
>>
>> adminuser at tmpdc1:~ $ samba-tool gpo manage scripts startup add 
>> {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
>> ERROR: Error connecting to 'rpidc2.samdom.example.com' using SMB
> Well that's odd. That shouldn't be necessary.
>> I then ran it with sudo but without '-Uadministrator and got this:
>>
>> adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add 
>> {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
>> ERROR(<class 'KeyError'>): uncaught exception - 'No such element'
>>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", 
>> line 279, in _run
>>      return self.run(*args, **kwargs)
>>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>>    File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 
>> 3519, in run
>>      reg = RegistryGroupPolicies(gpo, self.lp, self.creds, 
>> self.samdb, H)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>    File "/usr/lib/python3/dist-packages/samba/policies.py", line 77, 
>> in __init__
>>      ds_sd_ndr = msg['nTSecurityDescriptor'][0]
>>                  ~~~^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> Finally running it with sudo and '-Uadministrator' appeared to work.
> Hrm, looks like a bug to me.
>> The thing is, if Samba had a working way of syncing sysvol between DCs,
>> it wouldn't matter, but I would image that users would like to do
>> everything on one DC (probably the one with the PDC_Emulator FSMO role)
>> and then sync sysvol to all other DCS. If the gpo commands are creating
>> things on other DCs, then that isn't going to work.
> That's a good point. There was some progress fixing this at some 
> point, but I don't recall what happened with that. I think perhaps you 
> can force it to use the local host via the '-H' option.

My experience with 'samba-tool gpo' is that -H does not work (or at 
least it is does not in many cases). That is unfortunate because you 
cannot be sure where the files of a gpo land and you have to wait until 
sysvol replication has run before you can be sure that filesystem 
operations on the gpo can succeed.

- Kees.

More information about the samba mailing list