[Samba] Roaming Profiles GPO

[Pluess, Tobias]

Good Day,

I want to use a GPO to enable roaming profiles for certain users. For this,
I followed this guide:

https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group

I created in my directory the group "Roaming Profile Users" and added 2
users to it. Afterwards, I went to the GPO editor and created the GPO for
the roaming profiles. I removed the "Authenticated users" from the
"Security Filtering" and added the "Authenticated users" back on the
"Delegation" tab.
Further, I added my freshly created "Roaming Profile Users" group under
"Security Filtering", because I understood it such that the GPO is only
applied to the users and groups under "Security Filtering".

So, according to my understanding, the configuration was correct. To make
sure the GPO is in effect, I executed "gpupdate /force" and rebooted the
computer. Now, when I want to login as one of the users in the "Roaming
Profile Users" group, no roaming profile is created on my file share, and a
normal local profile is created instead.
On the other hand, when I add the "Authenticated users" to the "Security
Filtering", everything works as expected, i.e. a roaming profile is created
during login, but this happens for all domain users, not just for the ones
I want.
So obviously it seems like it does not work to apply a GPO only for one
group, is this as intended or is this a bug?

I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.

Thanks for any hints!