Kees van Vloten
2024-Apr-19 09:00 UTC
[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges
On 19-04-2024 10:33, Jaros?aw K?opotek - INTERDUO via samba wrote:> W dniu 19.04.2024 o?09:59, Jaros?aw K?opotek - INTERDUO via samba pisze: >> W dniu 18.04.2024 o?18:11, David Mulder via samba pisze: >>> On 4/18/24 1:03 AM, Jaros?aw K?opotek - INTERDUO via samba wrote: >>>> Hi all, >>>> >>>> I run cmd: >>>> samba-tool gpo manage scripts startup add \ >>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \ >>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat >>>> >>>> with result: >>>> [cut] >>>> ERROR: The authenticated user does not have sufficient privileges >>>> ? File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line >>>> 3230, in run >>>> ??? create_directory_hier(conn, vgp_dir) >>>> ? File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line >>>> 383, in create_directory_hier >>>> ??? conn.mkdir(path) >>>> signed SMB2 message (sign_algo_id=2) >>> >>> You've authenticated an SMB session, and your user is attempting to >>> create a directory on the share, but is getting a permissions error. >>> If this is happening for the Administrator, then you clearly have a >>> permissions issue on your sysvol share. Try running `samba-tool >>> ntacl sysvolreset`. >> This not helped ... but adding read only = no in [sysvol] share helped. >> Thanks for leading to solution. > And I also changed -UAdministrator to -Uadministrator. >It looks like it fails on "conn.mkdir(path)", i.e. creating a directory. This is a filesystem operation happening over smb, i.e. filesystem permissions apply. Did you check that the permissions (mode permissions, posix-acls, nt-acls) on directory are correct?? This can be fixed by running "samba-tool ntacl sysvolreset". Did you check that idmapping of your user is the same on all DCs including the content of "/var/lib/samba/private/idmap.ldb"? More info on idmap.ldb: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings - Kees.
Jarosław Kłopotek - INTERDUO
2024-Apr-19 11:10 UTC
[Samba] Samba-tool gpo manage - The authenticated user does not have sufficient privileges
W dniu 19.04.2024 o?11:00, Kees van Vloten via samba pisze:> > On 19-04-2024 10:33, Jaros?aw K?opotek - INTERDUO via samba wrote: >> W dniu 19.04.2024 o?09:59, Jaros?aw K?opotek - INTERDUO via samba pisze: >>> W dniu 18.04.2024 o?18:11, David Mulder via samba pisze: >>>> On 4/18/24 1:03 AM, Jaros?aw K?opotek - INTERDUO via samba wrote: >>>>> Hi all, >>>>> >>>>> I run cmd: >>>>> samba-tool gpo manage scripts startup add \ >>>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \ >>>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat >>>>> >>>>> with result: >>>>> [cut] >>>>> ERROR: The authenticated user does not have sufficient privileges >>>>> ? File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line >>>>> 3230, in run >>>>> ??? create_directory_hier(conn, vgp_dir) >>>>> ? File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line >>>>> 383, in create_directory_hier >>>>> ??? conn.mkdir(path) >>>>> signed SMB2 message (sign_algo_id=2) >>>> >>>> You've authenticated an SMB session, and your user is attempting to >>>> create a directory on the share, but is getting a permissions >>>> error. If this is happening for the Administrator, then you clearly >>>> have a permissions issue on your sysvol share. Try running >>>> `samba-tool ntacl sysvolreset`. >>> This not helped ... but adding read only = no in [sysvol] share helped. >>> Thanks for leading to solution. >> And I also changed -UAdministrator to -Uadministrator. > It looks like it fails on "conn.mkdir(path)", i.e. creating a directory. > This is a filesystem operation happening over smb, i.e. filesystem > permissions apply. > > Did you check that the permissions (mode permissions, posix-acls, > nt-acls) on directory are correct?? This can be fixed by running > "samba-tool ntacl sysvolreset".I did sysvolreset.> Did you check that idmapping of your user is the same on all DCs > including the content of "/var/lib/samba/private/idmap.ldb"? More info > on idmap.ldb: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_MappingsYes. The cmd for adding script is working now. I removed startup script by samba-tool and added it using gpmc.msc from Windows client. Script uploaded to Samba. I did a reboot of windows client but GPO was not applied. How to diagnose that? -- Jaros?aw K?opotek, kom. +48 607 893 111
Possibly Parallel Threads
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges
- Samba-tool gpo manage - The authenticated user does not have sufficient privileges