[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges

Jarosław Kłopotek - INTERDUO jkl at interduo.pl
Fri Apr 19 11:10:08 UTC 2024


W dniu 19.04.2024 o 11:00, Kees van Vloten via samba pisze:
>
> On 19-04-2024 10:33, Jarosław Kłopotek - INTERDUO via samba wrote:
>> W dniu 19.04.2024 o 09:59, Jarosław Kłopotek - INTERDUO via samba pisze:
>>> W dniu 18.04.2024 o 18:11, David Mulder via samba pisze:
>>>> On 4/18/24 1:03 AM, Jarosław Kłopotek - INTERDUO via samba wrote:
>>>>> Hi all,
>>>>>
>>>>> I run cmd:
>>>>> samba-tool gpo manage scripts startup add \
>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \
>>>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat
>>>>>
>>>>> with result:
>>>>> [cut]
>>>>> ERROR: The authenticated user does not have sufficient privileges
>>>>>   File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 
>>>>> 3230, in run
>>>>>     create_directory_hier(conn, vgp_dir)
>>>>>   File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 
>>>>> 383, in create_directory_hier
>>>>>     conn.mkdir(path)
>>>>> signed SMB2 message (sign_algo_id=2)
>>>>
>>>> You've authenticated an SMB session, and your user is attempting to 
>>>> create a directory on the share, but is getting a permissions 
>>>> error. If this is happening for the Administrator, then you clearly 
>>>> have a permissions issue on your sysvol share. Try running 
>>>> `samba-tool ntacl sysvolreset`.
>>> This not helped ... but adding read only = no in [sysvol] share helped.
>>> Thanks for leading to solution.
>> And I also changed -UAdministrator to -Uadministrator.
> It looks like it fails on "conn.mkdir(path)", i.e. creating a directory.
> This is a filesystem operation happening over smb, i.e. filesystem 
> permissions apply.
>
> Did you check that the permissions (mode permissions, posix-acls, 
> nt-acls) on directory are correct?  This can be fixed by running 
> "samba-tool ntacl sysvolreset".
I did sysvolreset.
> Did you check that idmapping of your user is the same on all DCs 
> including the content of "/var/lib/samba/private/idmap.ldb"? More info 
> on idmap.ldb: 
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings

Yes. The cmd for adding script is working now.

I removed startup script by samba-tool and added it using gpmc.msc from 
Windows client. Script uploaded to Samba.

I did a reboot of windows client but GPO was not applied.
How to diagnose that?

-- 
Jarosław Kłopotek, kom. +48 607 893 111





More information about the samba mailing list