samba - Jan 2018 - Machine level GPO always denied with "Filter: Denied (Security)

Greetings.

I have provisioned a test AD domain (single DC initially), and joined a
single workstation to it. When I use the "Default Domain Policy" that
already exist on the newly domain tree, the user level policies are applied
perfectly, but machine level policies don't.

The "Default Domain Policy" includes "Authenticated Users"
read and apply
on the delegation tab.

"gpupdate /force" say machine and user policies were updated. There is
no
error on the Windows error log.

"gpresult /v" sat the "Default Domain Policy" was filtered
because of
"Denied (Security)". I find it weird that gpresult show only these
groups
as the machine being member of

  NULL SID
  NT AUTHORITY\NETWORK,
  This company,
  and something like "mandatory level of no trust" (Windows is not in
english)

gpresult does not say the machine is part of Authenticated Users or Domain
Computers. What could be wrong here? what is that NULL SID?

Running Samba Version 4.7.4.

samba-tool ntacl sysvolcheck says permissions errors every time I update
the GPO

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/
ad.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Shortcuts/Shortcuts.xml
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object

"samba-tool ntacl sysvolreset" fix the error but the machine level GPO
is
not applied even after it

Thanks in advance

-- 
Robert Marcano