[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges
Jarosław Kłopotek - INTERDUO
jkl at interduo.pl
Fri Apr 19 11:10:08 UTC 2024
W dniu 19.04.2024 o 11:00, Kees van Vloten via samba pisze:
>
> On 19-04-2024 10:33, Jarosław Kłopotek - INTERDUO via samba wrote:
>> W dniu 19.04.2024 o 09:59, Jarosław Kłopotek - INTERDUO via samba pisze:
>>> W dniu 18.04.2024 o 18:11, David Mulder via samba pisze:
>>>> On 4/18/24 1:03 AM, Jarosław Kłopotek - INTERDUO via samba wrote:
>>>>> Hi all,
>>>>>
>>>>> I run cmd:
>>>>> samba-tool gpo manage scripts startup add \
>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \
>>>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat
>>>>>
>>>>> with result:
>>>>> [cut]
>>>>> ERROR: The authenticated user does not have sufficient privileges
>>>>> File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>>> 3230, in run
>>>>> create_directory_hier(conn, vgp_dir)
>>>>> File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>>> 383, in create_directory_hier
>>>>> conn.mkdir(path)
>>>>> signed SMB2 message (sign_algo_id=2)
>>>>
>>>> You've authenticated an SMB session, and your user is attempting to
>>>> create a directory on the share, but is getting a permissions
>>>> error. If this is happening for the Administrator, then you clearly
>>>> have a permissions issue on your sysvol share. Try running
>>>> `samba-tool ntacl sysvolreset`.
>>> This not helped ... but adding read only = no in [sysvol] share helped.
>>> Thanks for leading to solution.
>> And I also changed -UAdministrator to -Uadministrator.
> It looks like it fails on "conn.mkdir(path)", i.e. creating a directory.
> This is a filesystem operation happening over smb, i.e. filesystem
> permissions apply.
>
> Did you check that the permissions (mode permissions, posix-acls,
> nt-acls) on directory are correct? This can be fixed by running
> "samba-tool ntacl sysvolreset".
I did sysvolreset.
> Did you check that idmapping of your user is the same on all DCs
> including the content of "/var/lib/samba/private/idmap.ldb"? More info
> on idmap.ldb:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
Yes. The cmd for adding script is working now.
I removed startup script by samba-tool and added it using gpmc.msc from
Windows client. Script uploaded to Samba.
I did a reboot of windows client but GPO was not applied.
How to diagnose that?
--
Jarosław Kłopotek, kom. +48 607 893 111
More information about the samba
mailing list