[Samba] Secondary groups not recognized by Samba

Thu Jul 2 14:06:35 UTC 2015

I am running Samba 4.1.12 with SSSD 1.12.2 on RHEL 7.1.  I have joined my
system to a Win 2008r2 domain.  I have added the necessary unix attributes
to all relevant users and groups.  When I add a domain group to a
directory, either as the primary group or as an ACL, I can access the share
locally from the server, but cannot access the share from a Windows system
via the SMB share.  If I change the account primary group on our domain
controller, then everything works.  Basically, the only domain group that
Samba allows is Domain Users since that is the default primary group on our
accounts.

Kerberos tickets are successfully generated and running test LDAP queries
are successful.

> getent group netmon_deviceconfigs
netmon_deviceconfigs:*:16784931:nkuser,wkadmin,nkadmin,wkuser

> getent passwd nkuser
nkuser:*:16781645:16777729:K, Nick:/home/USERS/nkuser:/bin/bash

> getent group Domain\ Users
domain users:*:16777729:nkuser,cdscan20,cdscan19,cdscan18,.....

Anybody have any recommendations?  I've been buried in this for two days!
:)  Configs are below:

#!==============================================================
sssd.conf
#!==============================================================
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam, pac

[domain/mydomain.com]
ad_server = dc01.mydomain.com
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
cache_credentials = True
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
fallback_homedir = /home/%d/%u
ldap_search_base = dc=mydomain,dc=com?subtree?
ldap_group_search_base = dc=mydomain,dc=com?subtree?(objectClass=group)
ldap_user_search_base = dc=mydomain,dc=com?subtree?(objectClass=user)
ldap_group_member = member

#!==============================================================
smb.conf
#!==============================================================
# ----------------------- Network-Related Options -------------------------
 workgroup = MYWORKGROUP
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        netbios name = MGMT01
# ----------------------- Domain Members Options ------------------------
        security = ads
        realm = MYDOMAIN.COM
# ----------------------- Share Definitions -------------------------
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        create mask = 0660
        directory mask = 0770
[share]
        browseable = yes
        writeable = yes
        path = /var/shared
        inherit permissions = no
        inherit acls = yes
        inherit owner = no
        acl group control = yes
#!==============================================================
krb5.conf
#!==============================================================
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.COM
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
MYDOMAIN.COM = {
   kdc = dc01.mydomain.com
   admin_server = dc01.mydomain.com
}

[domain_realm]
 mydomain.com = MYDOMAIN.COM
 .mydomain.com = MYDOMAIN.COM