Bug 15738 - Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later
Summary: Creation of GPOs applicable to more than one group is impossible with Samba 4...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.20.0
Hardware: x64 All
: P5 critical (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-14 17:09 UTC by miguelmedalha
Modified: 2024-10-15 21:21 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description miguelmedalha 2024-10-14 17:09:54 UTC
Starting with Samba version 4.20.0, when using the Group Policy Management app included with Windows RSAT, under "Delegation", it is not possible to set "Apply group policy" to more than one group, because the app silently quits immediately.

When executed again, the app presents "The specified server cannot perform the requested operation". After a "samba-tool ntacl sysvolreset", this message disappears but the recently created Group Policy Object is corrupt and delegation of permissions cannot be performed, with the error "The security ID structure is invalid". The only solution is to delete the newly created Group Policy Object.

It is thus impossible to create Group Policy Objects applicable to more than one group, which pretty much makes GPOs way less useful.

The same issue is still present in versions 4.21.0 and 4.21.1.

Reverting to Samba 4.19.8 solves the issue and GPOs work correctly again.

I classified this bug as critical because it is critical for our use. GPOs are one of the most useful features of an AD environment, being indispensable in many cases.

Our Samba AD servers are running on AlmaLinux 9.4.

Best regards and thank you.
Comment 1 Björn Jacke 2024-10-15 15:37:20 UTC
seems to be a problem of your samba installation, I can't reproduce this, tested with sernet samba+ 4.20.5 here...
Comment 2 Björn Jacke 2024-10-15 15:43:11 UTC
ah, setting the "Apply group policy" *permission* for delegated group shows the problem that you describe, okay I can confirm that fails here, too.