Winbind needs to be able to execute /usr/sbin/samba-gpupdate in order to apply
group policy, but it's being blocked by apparmor:

[2022/11/09 11:02:36.004585,  0]
../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
  /usr/sbin/samba-gpupdate: Failed to exec child - Permission denied
[2022/11/09 11:02:36.006258,  3]
../../lib/util/util_runcmd.c:319(samba_runcmd_io_handler)
  samba_runcmd_io_handler: Child /usr/sbin/samba-gpupdate exited 255
[2022/11/09 11:02:36.006294,  0]
../../source3/winbindd/winbindd_gpupdate.c:182(gpupdate_cmd_done)
  gpupdate_cmd_done: gpupdate failed with exit status 255


type=AVC msg=audit(1668022211.285:471): apparmor="DENIED" operation="exec"
profile="winbindd" name="/usr/sbin/samba-gpupdate" pid=9638
comm=74666F726B20776169746572 requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Bug ID	1205303
Summary	AppArmor prevents winbind from starting /usr/sbin/samba-gpupdate
Classification	openSUSE
Product	openSUSE Tumbleweed
Version	Current
Hardware	Other
OS	Other
Status	NEW
Severity	Normal
Priority	P5 - None
Component	AppArmor
Assignee	suse-beta@cboltz.de
Reporter	david.mulder@suse.com
QA Contact	qa-bugs@suse.de
Found By	---
Blocker	---