AD groups not providing authentication for Samba shares

Since migrating from CentOS to Almalinux, we’ve been unable to get our Samba shares working properly. For a restricted share “Share1” we have permissions set to 771 for user1 : mydomain\group1. In this scenario, user1 can access Share1, but user2 (who is a member of mydomain\group1) cannot. Changing ownership from user1 to user2 reverses the issue, such that user2 can access the share and user1 cannot.

The samba logs show an NT_STATUS_ACCESS_DENIED error:

[2024/12/02 11:58:51.960127,  2] ../../source3/smbd/dosmode.c:138(unix_mode)
  unix_mode(.) inherit mode 40771
[2024/12/02 11:58:51.960276,  3] ../../source3/smbd/smb2_server.c:4036(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:361
[2024/12/02 11:58:52.106944,  2] ../../source3/smbd/dosmode.c:138(unix_mode)
  unix_mode(.) inherit mode 40771
...
[2024/12/02 11:58:55.378146,  3] ../../source3/smbd/smb2_server.c:4036(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_create.c:361

Windows reports that “You do not have permission to access \file.mydomain\share1.”

This appears to be affecting all shares and groups. As a workaround for the limited number of restricted shares, I’ve been able to grant access with ACLs

# file: share1/
# owner: user1
# group: group1
user::rwx
user:user2:rwx
...
user:userN:rwx
group::rwx
mask::rwx
other::--x

but obviously this workaround won’t scale.

Details

We have a Windows 2016 server for AD and an AlmaLinux 9.5 file server running samba 4.20.2. Users are connecting from domain joined Windows 10/11 workstations.

To set this up, I followed the procedure found here to configure samba to use Windows AD.

I’ve verified that groups group1 and getent group group1 produce the correct list of users and that the GID matches the permissions on the share1 directory.

kinit and klist show that we can grant and store Kerberos tickets successfully for users and users can authenticate to the file.mydomain server with their AD credentials.

id user2\@mydomain.com shows the correct group membership.

/etc/samba/smb.conf

[global]
        server smb encrypt = required
        client smb encrypt = required
        log file = /var/log/samba/%m.log
        log level = 3
        realm = MYDOMAIN.COM
        workgroup = MYDOMAIN
        security = ads
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        kerberos method = secrets and keytab
        winbind refresh tickets = Yes
        template homedir = /home/users/%U
        template shell = /bin/bash
        idmap config MYDOMAIN : range = 2000000-2999999
        idmap config MYDOMAIN : backend = sss
        idmap config * : range = 10000-1999999
        idmap config * : backend = tdb
        unix extensions = no
        wide links = yes
        follow symlinks = yes
        netbios name = file

[share1]
        browsable = yes
        path = /path/to/share1
        inherit permissions = yes
        read only = No
        strict locking = no

/etc/nsswitch.conf

passwd:     files sss systemd #I tried adding winbind here as well
group:      files sss systemd #I tried adding winbind here as well
netgroup:   sss files
automount:  sss files
services:   sss files

alternatives --display cifs-idmap-plugin

cifs-idmap-plugin - status is auto.
 link currently points to /usr/lib64/cifs-utils/cifs_idmap_sss.so
/usr/lib64/cifs-utils/cifs_idmap_sss.so - priority 20
/usr/lib64/cifs-utils/idmapwb.so - priority 10
Current `best' version is /usr/lib64/cifs-utils/cifs_idmap_sss.so.

At this point, I’m not sure where else I should be looking to get this resolved. Any help would be greatly appreciated!