samba - Apr 2024 - Samba-tool gpo manage - The authenticated user does not have sufficient privileges

W dniu 19.04.2024 o?09:59, Jaros?aw K?opotek - INTERDUO via samba
pisze:
> W dniu 18.04.2024 o?18:11, David Mulder via samba pisze:
>> On 4/18/24 1:03 AM, Jaros?aw K?opotek - INTERDUO via samba wrote:
>>> Hi all,
>>>
>>> I run cmd:
>>> samba-tool gpo manage scripts startup add \
>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \
>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat
>>>
>>> with result:
>>> [cut]
>>> ERROR: The authenticated user does not have sufficient privileges
>>> ? File
"/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>> 3230, in run
>>> ??? create_directory_hier(conn, vgp_dir)
>>> ? File
"/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>> 383, in create_directory_hier
>>> ??? conn.mkdir(path)
>>> signed SMB2 message (sign_algo_id=2)
>>
>> You've authenticated an SMB session, and your user is attempting to
>> create a directory on the share, but is getting a permissions error. 
>> If this is happening for the Administrator, then you clearly have a 
>> permissions issue on your sysvol share. Try running `samba-tool ntacl 
>> sysvolreset`.
> This not helped ... but adding read only = no in [sysvol] share helped.
> Thanks for leading to solution.
And I also changed -UAdministrator to -Uadministrator.

-- 
Jaros?aw K?opotek, kom. 607 893 111

On 19-04-2024 10:33, Jaros?aw K?opotek - INTERDUO via samba
wrote:
> W dniu 19.04.2024 o?09:59, Jaros?aw K?opotek - INTERDUO via samba pisze:
>> W dniu 18.04.2024 o?18:11, David Mulder via samba pisze:
>>> On 4/18/24 1:03 AM, Jaros?aw K?opotek - INTERDUO via samba wrote:
>>>> Hi all,
>>>>
>>>> I run cmd:
>>>> samba-tool gpo manage scripts startup add \
>>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \
>>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat
>>>>
>>>> with result:
>>>> [cut]
>>>> ERROR: The authenticated user does not have sufficient
privileges
>>>> ? File
"/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>> 3230, in run
>>>> ??? create_directory_hier(conn, vgp_dir)
>>>> ? File
"/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>> 383, in create_directory_hier
>>>> ??? conn.mkdir(path)
>>>> signed SMB2 message (sign_algo_id=2)
>>>
>>> You've authenticated an SMB session, and your user is
attempting to
>>> create a directory on the share, but is getting a permissions
error.
>>> If this is happening for the Administrator, then you clearly have a
>>> permissions issue on your sysvol share. Try running `samba-tool 
>>> ntacl sysvolreset`.
>> This not helped ... but adding read only = no in [sysvol] share helped.
>> Thanks for leading to solution.
> And I also changed -UAdministrator to -Uadministrator.
>
It looks like it fails on "conn.mkdir(path)", i.e. creating a
directory.

This is a filesystem operation happening over smb, i.e. filesystem 
permissions apply.

Did you check that the permissions on directory are correct?

Did you check that idmapping of your user is the same on all DCs 
including the content of "/var/lib/samba/private/idmap.ldb"?

- Kees.

On 19-04-2024 10:33, Jaros?aw K?opotek - INTERDUO via samba
wrote:
> W dniu 19.04.2024 o?09:59, Jaros?aw K?opotek - INTERDUO via samba pisze:
>> W dniu 18.04.2024 o?18:11, David Mulder via samba pisze:
>>> On 4/18/24 1:03 AM, Jaros?aw K?opotek - INTERDUO via samba wrote:
>>>> Hi all,
>>>>
>>>> I run cmd:
>>>> samba-tool gpo manage scripts startup add \
>>>> {31B2F340-016D-11D2-945F-00C04FB984F9} \
>>>> /var/lib/samba/sysvol/fartest.local/scripts/startup.bat
>>>>
>>>> with result:
>>>> [cut]
>>>> ERROR: The authenticated user does not have sufficient
privileges
>>>> ? File
"/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>> 3230, in run
>>>> ??? create_directory_hier(conn, vgp_dir)
>>>> ? File
"/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line
>>>> 383, in create_directory_hier
>>>> ??? conn.mkdir(path)
>>>> signed SMB2 message (sign_algo_id=2)
>>>
>>> You've authenticated an SMB session, and your user is
attempting to
>>> create a directory on the share, but is getting a permissions
error.
>>> If this is happening for the Administrator, then you clearly have a
>>> permissions issue on your sysvol share. Try running `samba-tool 
>>> ntacl sysvolreset`.
>> This not helped ... but adding read only = no in [sysvol] share helped.
>> Thanks for leading to solution.
> And I also changed -UAdministrator to -Uadministrator.
>
It looks like it fails on "conn.mkdir(path)", i.e. creating a
directory.
This is a filesystem operation happening over smb, i.e. filesystem 
permissions apply.

Did you check that the permissions (mode permissions, posix-acls, 
nt-acls) on directory are correct?? This can be fixed by running 
"samba-tool ntacl sysvolreset".

Did you check that idmapping of your user is the same on all DCs 
including the content of "/var/lib/samba/private/idmap.ldb"? More info
on idmap.ldb: 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings

- Kees.