GAM not functioning within PHP script (Keeps needing to authorize scopes)

213 views
Skip to first unread message

Luke Saintignan

unread,
Feb 24, 2016, 9:36:12 AM2/24/16
to Google Apps Manager

Forgive me as I am not a programmer and the programmer that created this is no longer with us. We use GAM to auto create our student email accounts. Yesterday morning, it stopped working. I noticed there was an update recently and I remember being told that it would break if there was a new update. I updated it, successfully, but the issue still remains.

The issue seems to be related to gam running from within the PHP code. I can run gam create user just fine from within the command line, but when running via the script I get an add error...and it's not so much an error as it needs to just "continue." Here's what's in the logs:


Gmail Add Error
array (
'command' => 'C:\gam\gam.exe create user "******" firstname "LIZZBETH" lastname "FERGUSON" password "*****"',
'input' => '',
'stdout' => ' 
Select the authorized scopes for this token. Include a \'r\' to grant read-only
access or an \'a\' to grant action-only access.

[] 0) Group Directory API (supports read-only)
[] 1) Organizational Unit Directory API (supports read-only)
[] 2) User Directory API (supports read-only)
[] 3) Chrome OS Device Directory API (supports read-only)
[] 4) Mobile Device Directory API (supports read-only and action)
[] 5) User Email Settings API
[] 6) Resource Calendar API (supports read-only)
[] 7) Audit Monitors, Activity and Mailbox Exports API
[] 8) Admin Settings API
[] 9) Groups Settings API
[] 10) Calendar Data API (supports read-only)
[] 11) Audit Reports API
[] 12) Usage Reports API
[] 13) Drive API (create report documents for admin user only)
[] 14) License Manager API
[] 15) User Security Directory API
[ ] 16) Notifications Directory API
[] 17) Site Verification API
[] 18) IMAP/SMTP Access (send notifications to admin)
[] 19) User Schemas (supports read-only)
[] 20) Classroom API
[] 21) Cloud Print API
[] 22) Data Transfer API (supports read-only)
[] 23) Customer Directory API (supports read-only)
[] 24) Domains Directory API (supports read-only)
[*] 25) Roles API (supports read-only)

  26)  Select all scopes
  27)  Unselect all scopes
  28)  Continue

',
'stderr' => 'Traceback (most recent call last):
File "", line 9072, in 
File "", line 5048, in doCreateUser
File "", line 804, in buildGAPIObject
File "", line 8905, in doRequestOAuth
EOFError: EOF when reading a line
',
'return' => -1,

As you can see, it seems to be running the initial setup to configure the API's, yet I've already done this. Even when I run that same gam create command from within the command line, it creates the user with no issues. Here's part of the PHP code:



if( ! $studentNew && ! $studentOld ) { // neither account exists, create one
// C:\gam\gam.exe create user firstname lastname password 
// C:\gam\gam.exe create user droth firstname "David Lee" lastname Roth password 'MightAsWellJump!'
$output = my_exec( 'C:\gam\gam.exe create user "' . $studentUsername . '" firstname "' . $exStudents[$j]['FIRST_NAME'] . '" lastname "' . $exStudents[$j]['LAST_NAME'] . '" password "' . $studentPassword . '"' ); // send account info to Gmail
if( $output['return'] === 0 ) { // account added
$logfile->showNote( 'Created student Gmail account: ' . $studentUsername . ' for “' . htmlentities( $exStudents[$j]['LAST_NAME'] . ', ' . $exStudents[$j]['FIRST_NAME'] ) . '” (' . $exStudents[$j]['ID_NUM'] . ')' );
$studentNew = array( 'EMAIL_ADDRESS' => $studentEmail, 'LAST_NAME' => $exStudents[$j]['LAST_NAME'], 'FIRST_NAME' => $exStudents[$j]['FIRST_NAME'], 'USER_ID' => $studentUsername );

Any guidance/help would be greatly appreciated!

Nate Ferrell

unread,
Feb 24, 2016, 10:51:14 AM2/24/16
to Google Apps Manager
I'm not familiar with PHP, but in my windows environment, I have to make sure that I change the running directory to the gam installation path if including it in scripts, otherwise it will see GAM, but not find the oauth file in my running path, causing it to request scope authorization.

Luke Saintignan

unread,
Feb 24, 2016, 11:16:40 AM2/24/16
to Google Apps Manager
Thanks for the reply Nate. That's the most frustrating part, me not being familiar with PHP. I KNOW the problem lies within this code somehow/somewhere, but I don't know how to fix it!

Nate Ferrell

unread,
Feb 24, 2016, 11:27:38 AM2/24/16
to google-ap...@googlegroups.com
Considering this is PHP, it sounds like you have built a WebApp to perform these tasks.

Since the WebApp is hitting a Windows gam installation per the path indicated, is the WebApp acting as a service account? If so, does the WebApp's SA have permissions to read/write/modify to that gampath folder?



Thank you for your time,
Nate Ferrell
Systems Engineer | Google Apps Certified Administrator
x5120 | 817.494.0332


--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/6j2-P8uPJZY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/ab4dd610-7b55-4d8e-926b-1973fea9c11a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Luke Saintignan

unread,
Feb 24, 2016, 2:43:47 PM2/24/16
to Google Apps Manager
I'm not sure if it's a WebApp, but it is running via a repeated scheduled task. It uses an account with domain administrative credentials for running, and it's set to "Run with highest privileges." I've logged into the server with said service account and I'm able to run all of the GAM commands from within the command prompt without issue. 

Thanks! 

Luke
To unsubscribe from this group and all its topics, send an email to google-apps-manager+unsub...@googlegroups.com.

Nate Ferrell

unread,
Feb 25, 2016, 7:40:13 PM2/25/16
to Google Apps Manager
Luke,

A) Is the admin account in use in the security properties for "Log on with batch priveleges"?

B) Is the scheduled task set to run whether the user is logged on or not?

C) What is the parameters of the job that runs, i.e. how is it kicking off a PHP script?

D) Any issue with recreating this in a Windows specific format like Powershell?

If D is an option and you're willing to share some of the details that the job does, I'd be more than happy to help write something that would do what you need with GAM in Powershell. I currently run my environment's GAM jobs via scheduled task, using Powershell to process all of the GAM commands ^_^. I can even write something generic in place of sensitive inofo and walk you through how to update it with the info once it's sent over.

Let me know! Anything I can help out with, I'm sure is usable in my own environment too, so it's not too big of an issue for me to work on something. If it's just new user creation, I actually have something already written out that can process any command you are trying to run anyway to create those users =]

Luke Saintignan

unread,
Feb 26, 2016, 9:22:00 PM2/26/16
to Google Apps Manager
Looks like it was a bug that got released in 3.63. I went here https://github.com/taers232c/GAM/releases/tag/v3.63 and got this 3.63 version that had a fix to my issue. Everything is working again! Thanks to Ross for sharing the bug info with me! He wins the internet for the month of February.

I appreciate all the help/tips everyone. Have a great weekend.

Luke 

Operations Center

unread,
Feb 27, 2016, 1:08:42 AM2/27/16
to google-ap...@googlegroups.com
Awesome!! 😁
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/6j2-P8uPJZY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/4a431a79-7f11-4873-af95-e4d6e297d2ba%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
Thank you for your time,
Nate Ferrell
Operations Center

Reply all
Reply to author
Forward
0 new messages