[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges
Rowland Penny
rpenny at samba.org
Thu Apr 18 16:56:16 UTC 2024
On Thu, 18 Apr 2024 10:30:52 -0600
David Mulder via samba <samba at lists.samba.org> wrote:
>
> On 4/18/24 10:22 AM, Rowland Penny via samba wrote:
> > I used sudo because when I first ran it without sudo, I got this:
> >
> > adminuser at tmpdc1:~ $ samba-tool gpo manage scripts startup add
> > {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh ERROR: Error
> > connecting to 'rpidc2.samdom.example.com' using SMB
> Well that's odd. That shouldn't be necessary.
> > I then ran it with sudo but without '-Uadministrator and got this:
> >
> > adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add
> > {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh ERROR(<class
> > 'KeyError'>): uncaught exception - 'No such element' File
> > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> > 279, in _run return self.run(*args, **kwargs)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^ File
> > "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 3519, in
> > run reg = RegistryGroupPolicies(gpo, self.lp, self.creds,
> > self.samdb, H)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
> > "/usr/lib/python3/dist-packages/samba/policies.py", line 77, in
> > __init__ ds_sd_ndr = msg['nTSecurityDescriptor'][0]
> > ~~~^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > Finally running it with sudo and '-Uadministrator' appeared to work.
> Hrm, looks like a bug to me.
> > The thing is, if Samba had a working way of syncing sysvol between
> > DCs, it wouldn't matter, but I would image that users would like to
> > do everything on one DC (probably the one with the PDC_Emulator
> > FSMO role) and then sync sysvol to all other DCS. If the gpo
> > commands are creating things on other DCs, then that isn't going to
> > work.
> That's a good point. There was some progress fixing this at some
> point, but I don't recall what happened with that. I think perhaps
> you can force it to use the local host via the '-H' option.
>
Is there any way to only run the samba-tool gpo commands on a DC and
then create the files on that DC, at least until some really intelligent
person (which rules me out) comes up a working DFS-R ?
Rowland
More information about the samba
mailing list