Permission denied: ...oauth2.txt

1,315 views
Skip to first unread message

Brian Perkins

unread,
Mar 7, 2018, 11:58:52 AM3/7/18
to GAM for G Suite

Specs:
GAM 4.40 - https://git.io/gam
Jay Lee <jay0lee@gmail.com>
Python 2.7.14 64-bit final
google-api-python-client 1.6.4
oauth2client 4.1.2
Windows-2012ServerR2-6.3.9600 AMD64

Hi Jay, et al,

First, let me say what an awesome project and you have my sincerest respect for the time and effort you've put in. Cheers!

I searched the forum and the 'net and read the past issues related to this error, but this looks like a different situation.

I've written a PowerShell script (a set actually) that... 
  1. reads the Veracross API to find new students
  2. creates the ActiveDirectory account(s)
  3. calls gam.exe to create the corresponding Google account
  4. does other stuff (emails people, etc)
However, I'm running into a strange issue with this oauth2.txt error.  If I call "gam info domain" from a cmd.exe window before I execute my PoSh script, then everything works as expected.  However, if some time has past, then the call to gam.exe inside PoSh fails.  I also tried running "gam info domain" from the script, but again it fails with the same error if some time has past since I ran the command in the "DOS" window.

GAM was setup to use a specific account.  Let's call it GADS.  The Windows folder and all files in it are owned by GADS and my (interactive) user account has full control privileges for the folder and the files.  I've checked the file permissions when the error occurs and when it works as expected. The permissions are the same.

Where would you suggest I start looking first?

Brian

Ross Scroggs

unread,
Mar 7, 2018, 3:30:47 PM3/7/18
to google-ap...@googlegroups.com
Brian,

What's the full error message?

Ross

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0147364c-9ca9-476a-ad5a-83a0068fe732%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Brian Perkins

unread,
Mar 12, 2018, 3:25:00 AM3/12/18
to GAM for G Suite
Hi Ross,

Here it is one example...

PS C:\Users\[username removed]>> gam.exe info domain
gam.exe : [6360] Failed to execute script gam
At line:1 char:1
+ gam.exe info domain
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ([6360] Failed to execute script gam:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
Traceback (most recent call last):
  File "gam.py", line 12881, in <module>
  File "gam.py", line 12270, in ProcessGAMCommand
  File "gam.py", line 1633, in doGetDomainInfo
  File "gam.py", line 1655, in doGetCustomerInfo
  File "gam.py", line 886, in buildGAPIObject
  File "gam.py", line 846, in getValidOauth2TxtCredentials
  File "oauth2client\client.py", line 545, in refresh
  File "oauth2client\client.py", line 761, in _refresh
  File "oauth2client\client.py", line 802, in _do_refresh_request
  File "oauth2client\file.py", line 85, in locked_put
IOError: [Errno 13] Permission denied: u'C:\\AUTOMATION\\GAM\\oauth2.txt'


The other example is the exact same error message except for the parameters sent to gam.exe.

Thanks!
To post to this group, send email to google-ap...@googlegroups.com.



--

Ross Scroggs

unread,
Mar 12, 2018, 11:26:35 AM3/12/18
to google-ap...@googlegroups.com
Brian,

A token is good for an hour before it must be refreshed; if an hour has passed since the last refresh, gam info domain has to do a refresh and you get the error. Does this timing match what you see? What is the script doing? Is it continually issuing gam commands?
I'm trying to figure out if there is a collision between two Gams trying to do a refresh at the same time.

Ross


To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/bf2a28bf-e7f8-4b87-ae49-7d4b2e2c3e53%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Brian Perkins

unread,
Mar 12, 2018, 12:03:59 PM3/12/18
to GAM for G Suite
Hi Ross,

The script is planned to be run every 45-50 minutes from 07:30 to 17:00 (M-F), but for now I'm just running it manually to try it out.

After further testing, I have confirmed that after the token expires, I must run "gam info domain" under elevated permissions to avoid the error. This is a problem since I'll eventually be running this as a user which does not have administrative rights via the Windows Task Scheduler.  I have again confirmed: 
  • the file is owned by the service account "GADS"
  • "GADS" has permissions for the full path to the file
  • "GADS" has full control of the file
  • there are no spaces in the path
So... how can I refresh the token in the oauth2.txt file without elevated permissions?  Can you think of anything else I might be missing?


Thanks again!

Brian

Brian Perkins

unread,
Mar 12, 2018, 12:11:24 PM3/12/18
to GAM for G Suite
With this new information, this seems like it might apply...

Brian Perkins

unread,
Mar 12, 2018, 1:12:15 PM3/12/18
to GAM for G Suite
Ok, so... there apparently is no gamcache on Windoze, so I renamed the oauth2.txt file and ran "gam info domain" again, this time definitely without elevated privileges.

Now I'm waiting for the hour to elapse so I can test whether I need UAC privs next time.

Ross Scroggs

unread,
Mar 12, 2018, 2:37:58 PM3/12/18
to google-ap...@googlegroups.com
Brian,

The "gam info domain" should have prompted you to build a new oauth2.txt file; did it?

Ross

On Mon, Mar 12, 2018 at 10:12 AM, Brian Perkins <itma...@lisluanda.com> wrote:
Ok, so... there apparently is no gamcache on Windoze, so I renamed the oauth2.txt file and ran "gam info domain" again, this time definitely without elevated privileges.

Now I'm waiting for the hour to elapse so I can test whether I need UAC privs next time.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/8b91a20d-fda3-446e-a7a0-9148881e16af%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

Brian Perkins

unread,
Mar 12, 2018, 3:26:40 PM3/12/18
to GAM for G Suite
Yes, I just typed 'c', logged in, etc...

It does seem to have resolved the issue. I waited an hour and the token was refreshed the next time I ran gam with normal privileges. Apparently the issue was that I first ran the gam setup process in elevated privileges.  

I waited another 75 minutes and it still refreshed just fine without elevated privileges, so I'd say this issue is closed, but perhaps there should be a warning against using elevated privs in the setup info?

Thanks Ross!
Reply all
Reply to author
Forward
0 new messages