15471 – samba-tool gpo restore works only with the built-in Administrator user

Bug 15471 - samba-tool gpo restore works only with the built-in Administrator user

Summary: samba-tool gpo restore works only with the built-in Administrator user

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Python (show other bugs)
Version:	4.17.10
Hardware:	x64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Douglas Bagnall
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-06 08:08 UTC by Mateusz
Modified:	2023-09-06 20:12 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mateusz 2023-09-06 08:08:01 UTC

Since the upgrade from 4.16.5 to 4.17.X samba-tool gpo restore seems to work only with the built-in Administrator user. If I try any other user which is member of the same groups (Domain Users, Domain Admins, Schema Admins, Enterprise Admins, Group Policy Creator Owners, Administrators) I get the following error with this command ‘samba-tool gpo restore "Company(ReadOnly)" "$baseline_ro/CompanyReadOnly/policy" --tmpdir=/tmp –Utestadmin’:

--
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
GPO 'Test(ReadOnly)' created as {93CD1083-E8EE-44B5-A481-CB0982C08BBB}
WARNING: No such parser for comment.cmtx
WARNING: Falling back to simple copy-restore.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1674, in run
    copy_directory_local_to_remote(self.conn, self.gpodir,
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 382, in copy_directory_local_to_remote
    conn.savefile(r_name, data)
samba.NTSTATUSError: (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
(3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
Failed to restore GPO -- deleting...
GPO {93CD1083-E8EE-44B5-A481-CB0982C08BBB} deleted.
--

I already tried the following without any luck:
1.	Different Samba versions; 4.18.X, 4.19.0, 4.17.X
2.	New setup with Samba 4.19.0
3.	Different user
4.	Disable GPO removal in gpo.py to check permissions in the sysvol share 
a.	The ‘testadmin’ user is able to create new folder inside policy directory with content, but has no write permissions inside User folder (e.g. \\54321.local\sysvol\54321.local\Policies\{444C009C-1638-40A0-924D-2D3AEC1FD9BE}\User) -> This is also the reason why gpo restore cmd fails

If I revert the Samba version to 4.16.5 the gpo restore command works instantly.

How can you reproduce this issue:
1.	Deploy Samba Active Directory on Samba 4.17.x or newer
2.	Create new AD user with the same groups as the built-in administrator
3.	Configure one Group Policy Object with Windows and backup it with samba-tool gpo backup
4.	Use samba-tool gpo restore –Utestadmin to restore your export