samba - Apr 2024 - Samba-tool gpo manage - The authenticated user does not have sufficient privileges

On Thu, 18 Apr 2024 10:05:39 -0600
David Mulder via samba <samba at lists.samba.org> wrote:
> 
> On 4/18/24 8:07 AM, Rowland Penny via samba wrote:
> > OK, After reading the commands help, I created a simple script and
> > ran the command like this:
> >
> > adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add
> > {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> > -Uadministrator
> There is no reason to run this command as root. It operates via SMB,
> not on local files.
I used sudo because when I first ran it without sudo, I got this:

adminuser at tmpdc1:~ $ samba-tool gpo manage scripts startup add
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
ERROR: Error connecting to 'rpidc2.samdom.example.com' using SMB

I then ran it with sudo but without '-Uadministrator and got this:

adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
ERROR(<class 'KeyError'>): uncaught exception - 'No such
element'
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
279, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
3519, in run
    reg = RegistryGroupPolicies(gpo, self.lp, self.creds, self.samdb, H)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/policies.py", line 77, in
__init__
    ds_sd_ndr = msg['nTSecurityDescriptor'][0]
                ~~~^^^^^^^^^^^^^^^^^^^^^^^^

Finally running it with sudo and '-Uadministrator' appeared to work.
> > After being prompted for the Administrator password, the command
> > appeared to complete without error.
> >
> > However, I couldn't find the script in sysvol on the DC I ran the
> > command on, but after checking the other two DCs, I found this:
> >
> > adminuser at rpidc2:~ $ sudo cat
> >
/var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/Unix/Scripts/Startup/test_script.sh
> > #!/bin/bash
> >
> > echo "Hello World"
> >
> > exit 0
> >
> > I have no idea why the script was created on another DC instead of
> > the DC the command was run on, the DC uses itself for its
> > nameserver.
> We've had this discussion before. This command does not run on the 
> current host, it contacts *one of the DCs* and sets it there. It
> should then be replicated to the others.
> 
The thing is, if Samba had a working way of syncing sysvol between DCs,
it wouldn't matter, but I would image that users would like to do
everything on one DC (probably the one with the PDC_Emulator FSMO role)
and then sync sysvol to all other DCS. If the gpo commands are creating
things on other DCs, then that isn't going to work.

Rowland

On 4/18/24 10:22 AM, Rowland Penny via samba wrote:
> I used sudo because when I first ran it without sudo, I got this:
>
> adminuser at tmpdc1:~ $ samba-tool gpo manage scripts startup add
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> ERROR: Error connecting to 'rpidc2.samdom.example.com' using SMB
Well that's odd. That shouldn't be necessary.
> I then ran it with sudo but without '-Uadministrator and got this:
>
> adminuser at tmpdc1:~ $ sudo samba-tool gpo manage scripts startup add
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh
> ERROR(<class 'KeyError'>): uncaught exception - 'No such
element'
>    File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279,
in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py",
line 3519, in run
>      reg = RegistryGroupPolicies(gpo, self.lp, self.creds, self.samdb, H)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/policies.py", line
77, in __init__
>      ds_sd_ndr = msg['nTSecurityDescriptor'][0]
>                  ~~~^^^^^^^^^^^^^^^^^^^^^^^^
>
> Finally running it with sudo and '-Uadministrator' appeared to
work.
Hrm, looks like a bug to me.
> The thing is, if Samba had a working way of syncing sysvol between DCs,
> it wouldn't matter, but I would image that users would like to do
> everything on one DC (probably the one with the PDC_Emulator FSMO role)
> and then sync sysvol to all other DCS. If the gpo commands are creating
> things on other DCs, then that isn't going to work.
That's a good point. There was some progress fixing this at some point, 
but I don't recall what happened with that. I think perhaps you can 
force it to use the local host via the '-H' option.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com