[Samba] Machine level GPO always denied with "Filter: Denied (Security)

[Robert Marcano]

Greetings.

I have provisioned a test AD domain (single DC initially), and joined a
single workstation to it. When I use the "Default Domain Policy" that
already exist on the newly domain tree, the user level policies are applied
perfectly, but machine level policies don't.

The "Default Domain Policy" includes "Authenticated Users" read and apply
on the delegation tab.

"gpupdate /force" say machine and user policies were updated. There is no
error on the Windows error log.

"gpresult /v" sat the "Default Domain Policy" was filtered because of
"Denied (Security)". I find it weird that gpresult show only these groups
as the machine being member of

  NULL SID
  NT AUTHORITY\NETWORK,
  This company,
  and something like "mandatory level of no trust" (Windows is not in
english)

gpresult does not say the machine is part of Authenticated Users or Domain
Computers. What could be wrong here? what is that NULL SID?

Running Samba Version 4.7.4.

samba-tool ntacl sysvolcheck says permissions errors every time I update
the GPO

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/
ad.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Shortcuts/Shortcuts.xml
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object

"samba-tool ntacl sysvolreset" fix the error but the machine level GPO is
not applied even after it

Thanks in advance

-- 
Robert Marcano