samba - Sep 2017 - Unable to access shares

Hi,

I am testing 2 samba AD DCs running self compiled 4.7.0rc5 and 2 member servers
that are running samba-4.6.2-8.el7.x86_64 that I am trying to get setup as file
servers.

The file server smb.conf looks like the following:

[global]
     security = ADS
     workgroup = SAMDOM
     realm = SAMDOM.MYDOMAIN.COM

     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 3000-7999

     idmap config SAMDOM:backend = ad
     idmap config SAMDOM:schema_mode = rfc2307
     idmap config SAMDOM:unix_nss_info = yes
     idmap config SAMDOM:range = 10000-999999

     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no

     username map = /etc/samba/user.map

     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes
     # Logging
     log file = /var/log/samba/%m.log
     log level = 1

     ## Samba Shared directories
[users]
     path = /home/samba/users/
     readonly = no

When I try to access the users share from a windows 7 box that is a domain
member logged in as administrator, I can access it as expected. If I login
to the same windows box as a normal user who is a member of the Domain
Users group, I am denied.

I have setup a group called "Unix Admins" which is a member of the
Domain
Admins group. The Unix Admins and Domain users groups have unix gids
assigned to them.

Getent group shows the following:

(vfs1 pts9) # getent group "SAMDOM\Domain Users"
domain users:x:10000:
(vfs1 pts9) # getent group "SAMDOM\Unix Admins"
unix admins:x:10001:
(vfs1 pts9) #

Getent passwd shows the following:
(vfs1 pts9) # getent passwd "SAMDOM\tuser"
tuser:*:10001:10000:Test User:/home/samba/tuser:/bin/false
(vfs1 pts9) #

Permissions on the users directory are as follows:

(vfs1 pts9) # ll -d users/
drwxrwx---+ 3 root unix admins 23 Aug 31 22:27 users/

(vfs1 pts9) # getfacl users
# file: users
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::r-x

(vfs1 pts9) #

As you can see above my test user is a member of the Domain Users group and if
I am reading the above permissions correctly, domain users has rwx permissions.

Does anyone have any idea what I am doing wrong?

Regards,

-- 
Tom			me at tdiehl.org