I am facing a strange problem with AD GPOs.
I have had numerous GPOs working correctly for years but now, following the
installation of new servers with a new Samba version, I am unable to create
a new GPO with RSAT. I can configure it alright but it fails when I try to
apply the respective rights under "Delegation > Advanced". As soon
as I
apply the permissions, it fails with the message "The security ID structure
is invalid". If I click "Advanced" again the program silently
exits. When I
execute the app again, the same message "The security ID structure is
invalid" appears and nothing can be done regarding the permissions. I then
have to do a sysvolreset on the DC. After the sysvolreset I execute the
Windows app again and I am greeted by "The specified server cannot perform
the requested operation." The app never restarts correctly again until the
newly created GPO is deleted.
Furthermore, every single operation on GPOs performed through the Windows
app needs to be followed by a sysvolreset because the permissions are
mangled. I can't believe that this has not been solved after all these
years. It is somewhat disturbing because GPOs are one of the most useful
features of AD.
The DCs are running Samba 4.20.5 over AlmaLinux 9.4. Their smb.conf is the
following:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server role = active directory domain controller
dns forwarder = xxx.xxx.xxx.xxx
disable netbios = yes
ntlm auth = no
client ipc signing = mandatory
server min protocol = SMB2_10
host msdfs = yes
admin users = @"CIMBAL\Domain Admins"
smb ports = 445
disable spoolss = yes
apply group policies = yes
[netlogon]
path = /usr/local/samba/var/sysvol/lan.cimbal.pt/scripts
read only = no
browsable = yes
vfs objects = dfs_samba4 acl_xattr
[sysvol]
path = /usr/local/samba/var/sysvol
read only = no
browsable = yes
vfs objects = dfs_samba4 acl_xattr