Error with samba-tool or RSAT during create gpo

I have provisionned a samba-ad-dc and joined two PC winsows 10 pro. I created users and I can login on the windows 10 pc with these users.
List GPO gaves

rasp:/ # samba-tool gpo listall
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path : \samdom.pce23.net\sysvol\samdom.pce23.net\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=pce23,DC=net
version : 0
flags : NONE
GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path : \samdom.pce23.net\sysvol\samdom.pce23.net\Policies{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=pce23,DC=net
version : 0
flags : NONE
rasp:/ #

When I try to create a new GPO via samba-tool I receive this error

rasp:~ # samba-tool gpo create “Global Message” -U Administrator
Password for [SAMDOM\Administrator]:
Using temporary directory /tmp/tmpew8pml0o (use --tmpdir to change)
ERROR(runtime): uncaught exception - (3221225506, ‘{Access Denied} A process has requested access to an object but has not been granted those access rights.’)
File “/usr/lib64/python3.10/site-packages/samba/netcmd/init.py”, line 185, in _run
return self.run(*args, **kwargs)
File “/usr/lib64/python3.10/site-packages/samba/netcmd/gpo.py”, line 1279, in run
conn.set_acl(sharepath, fs_sd, sio)
File “/usr/lib64/python3.10/site-packages/samba/samba3/libsmb_samba_internal.py”, line 128, in set_acl
self.set_sd(fnum, sd, sinfo)

If I try with RSAT on the windows PC I receive an error message “Can’t Create a File When It Already Exists”

And now listing the GPO gives

rasp:/ # samba-tool gpo listall
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path : \samdom.pce23.net\sysvol\samdom.pce23.net\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=pce23,DC=net
version : 0
flags : NONE
GPO : {49BEC50A-00E2-4EE7-91EB-26C8D45701E2}
ERROR(<class ‘KeyError’>): uncaught exception - ‘No such element’
File “/usr/lib64/python3.10/site-packages/samba/netcmd/init.py”, line 185, in _run
return self.run(*args, **kwargs)
File “/usr/lib64/python3.10/site-packages/samba/netcmd/gpo.py”, line 477, in run
self.outf.write(“display name : %s\n” % m[‘displayName’][0])

So a new GPO {49BEC50A-00E2-4EE7-91EB-26C8D45701E2} was created but it this giving this error.

How can I solve this?
Many thanks in advance
Phi

More info:

1. I found in /var/lib/samba/sysvol/samdom.pce23.net/Policies 2 new empty directories created at the error time

rasp:/var/lib/samba/sysvol/samdom.pce23.net/Policies # ls -al
total 64
drwxrwx—+ 7 root 3000000 4096 Dec 13 10:26 .
drwxrwx—+ 4 root 3000000 4096 Oct 28 10:51 …
drwxrwx—+ 24 root 3000000 12288 Dec 10 07:54 PolicyDefinitions
drwxrwx—+ 4 3000004 3000004 4096 Oct 28 10:51 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxr-x—+ 2 root users 4096 Dec 13 10:26 {49BEC50A-00E2-4EE7-91EB-26C8D45701E2}
drwxrwx—+ 4 3000004 3000004 4096 Oct 28 10:51 {6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxr-x—+ 2 root users 4096 Dec 13 10:25 {7EFD18F2-578D-4D70-ADBB-EE41EC6ACEB6}

The two old directories contain both a file (GPT.INI) and 2 directories (Machine and User) while the new re empty.

I moved the 2 new directories to another location and then I did a search in the samba DB (/var/lib/samba/private/sam.tdb) for these 2 new uid.

dbsearch -s sub -H ldap://localhost -b CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=SAMDOM,DC=PCE23,DC=NET -U Administrator
Password for [SAMDOM\Administrator]:
rasp: # record 1 …

This gives 3 records for each uid and I removed all (with the different CN) via

rasp: # ldbdel --url=/var/lib/samba/private/sam.ldb CN=User,CN={49BEC50A-00E2-4EE7-91EB-26C8D45701E2},CN=Policies,CN=System,DC=SAMDOM,DC=PCE23,DC=NET -U Administrator
Deleted 1 record
rasp: #

After the remove the command samba-tool gpo listall return no more error.

I know that for samba the kerberos mit is still considered experimental see

Running a Samba AD DC with MIT Kerberos KDC - SambaWiki
but therein they don’t speak about a problem with GPO

Now my problem if half resolved. My samba-ad-dc seems running without problem.
Remains the gpo create problem.

Regards
Philippe