samba - Aug 2023 - Permissions failures on Samba 4.10.x file server with 4.17.x Samba AD DC, but not with 4.16.x AD DC

I have 3 completely autonomous sites, each running their own unique Samba
AD domains.  At each site I have one VM running Samba as an AD DC and a
separate VM running Samba as a file server.  All three sites have the same
samba configuration and all exhibit the same symptoms, thus the problem is
consistently reproducible.  I'm not yet reporting this as a bug, because I
assume I must be doing something wrong, so I'm looking for insights from
the community.

*Problem exists today with these samba versions*
*AD DC*
OS = AlmaLinux 8.8
Samba = 4.17.10 (from the tis-samba repo at
https://samba.tranquil.it/redhat8/samba-4.17/)
smb.conf = see config files at the end of the email

*File server*
OS = CentOS 7
Samba = 4.10.16 (from the CentOS updates repo)
smb.conf = see config files at the end of the email


*Problem does not exist with these samba versions*
AD DC - Exactly the same as above, but with Samba 4.16.10
File server - Exactly the same as above
Note: Don't confuse the Samba AD DC version of 4.16.10 with the file server
version of 4.10.16...  That's just an unfortunate coincidence, which could
cause some confusion.


*Problem description*
With the AD DC running Samba version 4.16.x, users on Windows PCs (version
10 and 11 Pro) were able to access shares, files and folders according to
share permissions and Windows file/folder ACLs.  This had worked fine for
months.

At first, after upgrading the AD DC to 4.17.8 (it has since been upgraded
to 4.17.10), everything continued to work as before the upgrade.  However,
after several days, users started to complain that they couldn't access
shares at all.  The logs *on the file server* showed the following.

Aug  8 10:47:54 fs1 smbd_audit:
TEMPLATE\mason|10.255.250.20|Shared|chdir|fail (Permission
denied)|chdir|/srv/samba/Top/Shared

[2023/08/08 10:47:54.405225,  0]
../../source3/smbd/uid.c:448(change_to_user_internal)
change_to_user_internal: chdir_current_service() failed!

Because the logs suggested there was a permissions issue, I tried resetting
the file permissions *on the file server* using Windows file explorer to
re-apply the Windows ACLs*.*  I didn't change the permissions at all, I
simply re-applied them.  This seemed to resolve the issue for a few days,
but then the problem manifested again.

Given that the only thing that had changed was the Samba version on the AD
DC, it didn't make sense to mess around with the file server permissions
again.  This time a co-worker tried setting file permissions using
usernames rather than groups.  This was a shot in the dark, but
surprisingly it has worked and continues to work.  However, it means that
we currently can't manage permissions using groups, which is highly
undesirable.

This has been very slow and challenging to troubleshoot, because when I
make a change that I think might resolve the problem, I have to wait
several days before I find out if it worked or not.  Thus, I've been
banging my head against this problem for a very long time now.  I'm hoping
that someone is able to help me out.


*AD DC smb.conf*
[global]
        dns forwarder = 10.255.246.1
        netbios name = AD1
        realm = TEMPLATE.FTLCOMPUTING.CA
        server role = active directory domain controller
        workgroup = TEMPLATE
#        log level = 1 auth_audit:3 auth_json_audit:3
        log level = 3 auth_json_audit:3 dsdb_json_audit:5
dsdb_password_json_audit:5 dsdb_group_json_audit:5
dsdb_transaction_json_audit:5 kerberos:2 acls:5
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/template.ftlcomputing.ca/scripts
        read only = No



*File Server smb.conf*
[global]
kerberos method = system keytab
workgroup = TEMPLATE
security = ads
realm = TEMPLATE.FTLCOMPUTING.CA

# Logging
log file = /var/log/samba/%m.log
log level = 2 kerberos:3 acls:5
full_audit:prefix = %u|%m|%S
full_audit:success = all
full_audit:failure = all
full_audit:log_secdesc = true

# We're using the RID method of mapping SIDs to UID/GID
idmap config TEMPLATE : range = 2000000-2999999
idmap config TEMPLATE : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
# FIXME - Remove once patch is available
# Temporarily uncomment the option below in order to work around this bug,
# until a fix is available.
https://bugzilla.samba.org/show_bug.cgi?id=14901#c0
#min domain uid = 0
bind interfaces only = yes
interfaces = lo eth0

# Enable Windows ACL support and make ACLs maximally compatible with NTFS
ACLs.
# Beyond setting the POSIX ownership and permissions for the share
directory, all ACLs
# should be managed in Windows.  See the comment in the Shares section
below for details
# about our standard share configuration (both on the Linux/POSIX side and
on the Windows side
vfs objects = acl_xattr recycle full_audit
acl_xattr:default acl style = windows
#acl_xattr:ignore system acls = yes     # PURE EVIL!  If you value your
sanity, don't use this option
map acl inherit = yes
store dos attributes = yes


# Samba version 4.9.x enabled extended attribute support, by default.
# This should be a good thing as it enables clients to make more
intelligent decisions.
# Unfortunately, customers have reported that old Windows 7 CE data
collection devices
# don't like the new settings, so if you encounter this at another
location, change this setting
ea support = yes

# ------------------------------------
# Global Security Settings
# ------------------------------------

# Disable SMB1, it's too old and too insecure to be used anymore
server min protocol = SMB2

# Samba AD users will not have access to a shell on linux hosts
template shell = /bin/false

# Netbios is dead, let's make it explicit
disable netbios = yes

# Win10 clients that have negotiated an encrypted connection,
# are not able to successfully re-connect to shares,
# after being idle for an extended period of time.
# Disabling encryption resolves this issue.
smb encrypt = off

# Hide shares from users that don't have permission to see them
access based share enum = yes


# -------------------------------------------------------
#  Automatic creation of home directories
# -------------------------------------------------------

# !!! Important SELINUX configuration !!!
# For automatic creation of home directories to work,
# you must set two selinux booleans with the following commands:
# setsebool -P samba_create_home_dirs 1
# setsebool -P samba_enable_home_dirs 1
#
# Check that the selinux booleans were correctly set
# getsebool -a | grep samba | grep home
#
# For samba to serve the home dirs, they must be labeled with the
# selinux type 'samba_share_t'
# During the installation of this server a policy was created for the
# /srv/samba/ directory, which ensures all sub-folders/files are labeled
# with samba_share_t.  Therefore, as long as the home folders are located
# under /srv/samba/ this labelling will be taken care of.
# --- End of SELINUX configuration ---

# Home directories will be created at this path with %U being replaced by
# the username
template homedir = /srv/samba/Top/Home/%U

# Home dir creation will be handled via oddjob, kicked off from PAM.
# This setting needs to be in place for this to work correctly
obey pam restrictions = yes

# This share declaration works in conjunction with a pam module and a GPO
# When a user logs in for the first time, a new home folder will
# be created for them on the file server and a mapped drive (H:) will
# be created in the Windows profile on their computer.  See the samba wiki
for
# details of how to create the GPO
#
https://wiki.samba.org/index.php/User_Home_Folders#Using_a_Group_Policy_Preference
[Home]
        path = /srv/samba/Top/Home
        comment = Share for user home dirs
        guest ok = no
        read only = no
        # Recycle bin
        recycle:repository = %U/Recycle_Bin
        recycle:versions = Yes
        recycle:keeptree = Yes
        recycle:touch = Yes
        recycle:exclude = *.tmp,~$*
        recycle:exclude_dir = %U/Recycle_Bin

# -------------------------
# Standard Shares
# -------------------------

[Top]
       path = /srv/samba/Top
       comment = Parent share sets top level Windows file permission
inheritance
       guest ok = no
       read only = no

[Backup]
       path = /srv/samba/Top/Backup
       comment = Create separate folders, with locked down permissions, for
each application
       guest ok = no
       read only = no

[Software]
       path = /srv/samba/Top/Software
       comment = Software repository
       guest ok = no
       read only = no

[Shared]
       path = /srv/samba/Top/Shared
       comment = Company shared files
       guest ok = no
       read only = no
        # Recyle bin
        recycle:repository = Recycle_Bin/%U
        recycle:versions = Yes
        recycle:keeptree = Yes
        recycle:touch = Yes
        recycle:exclude = *.tmp,~$*
        recycle:exclude_dir = Recycle_Bin


-- 

Mason