Problem:

Blocking GPO inheritance does not work.
Sometimes it is usefull to stop the GPO inheritance. This works for all DRS replicating servers in UCS, but if the ou from a school is blocked.

Investigation:

root@primary:~ # samba-tool gpo getinheritance ou=sun,DC=schein,DC=me
Container has GPO_BLOCK_INHERITANCE

root@schul-repl1:~ # samba-tool gpo getinheritance ou=sun,DC=schein,DC=me
Container has GPO_INHERIT 

root@schul-repl1:~ # univention-s4search ou=sun
# record 1
dn: OU=sun,DC=schein,DC=me
objectClass: top
objectClass: organizationalUnit
ou: sun
instanceType: 4
whenCreated: 20220607112147.0Z
uSNCreated: 4079
name: sun
objectGUID: 690cec8d-0464-4954-8aa1-ac374e2beb78
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=schein,DC
 =me
gPLink: [LDAP://cn={A210B517-89AB-499D-9135-0A8E56062792},cn=policies,cn=syste
 m,DC=schein,DC=me;1]
whenChanged: 20240614142044.0Z
uSNChanged: 6953
distinguishedName: OU=sun,DC=schein,DC=me 
-----------------------------------------------------------------------------------------
root@primary:~ # univention-s4search ou=sun
# record 1
dn: OU=sun,DC=schein,DC=me
objectClass: top
objectClass: organizationalUnit
ou: sun
instanceType: 4
whenCreated: 20220619171352.0Z
uSNCreated: 4024
name: sun
objectGUID: 5acf60d3-f571-403f-ac54-1461312132a8
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=schein,DC
 =me
gPLink: [LDAP://cn={A210B517-89AB-499D-9135-0A8E56062792},cn=policies,cn=syste
 m,DC=schein,DC=me;1]
gPOptions: 1
whenChanged: 20240614142625.0Z
uSNChanged: 7606
distinguishedName: OU=sun,DC=schein,DC=me

gPOptions is a property that contains all Block Policy Inheritance settings for the node.
We does not synchronize this attribut via s4-connector

Solution:

Usage: samba-tool gpo setinheritance <container_dn> <block|inherit> [options]
→
samba-tool gpo setinheritance ou=sun,DC=schein,DC=me block -U Administrator

Bug 57392 addresses this issue.