[Samba] Client station file permission behavior changes after a week or so

[Eric]

Sorry, but I didn't really know how to word this.

I have Univention Corporate server running as AD DC, with a UCS running
as a member fileserver.

One win10 client has file permission issues after lack of reboot or
logout/login
in roughly a weeks time. Symptom = can't write to shares even though
permissions
are correct. Sometimes files are created without honoring default ACL.
Could this
be due to Kerberos tickets expiring? I don't want to change the below
without knowing
the impact.

winbind refresh tickets = No


I'm not sure if this is limited to one client as the other five clients
shutdown
more regularly.

What diagnostic steps can I take when the symptom occurs?

DC1 smb.conf, samba = Version 4.10.1-Univention

[global]
bind interfaces only = Yes
deadtime = 15
debug pid = Yes
domain master = Yes
interfaces = lo ens3
ldap server require strong auth = allow_sasl_over_tls
logging = file
logon drive = I:
logon home = \\DC01\%U
logon path = \\DC01\%U\windows-profiles\%a
machine password timeout = 0
map to guest = Bad User
max log size = 0
max open files = 32808
max xmit = 65535
name resolve order = wins host bcast
obey pam restrictions = Yes
passdb backend = samba_dsdb
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*password*changed*
preferred master = Yes
realm = KIDDLAW.LAN
server role = active directory domain controller
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
server string = Univention Corporate Server
template homedir = /home/%D-%U
template shell = /bin/bash
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls certfile = /etc/univention/ssl/DC01.kiddlaw.lan/cert.pem
tls keyfile = /etc/univention/ssl/DC01.kiddlaw.lan/private.key
tls verify peer = ca_and_name
usershare max shares = 0
winbind separator = +
wins support = Yes
workgroup = KIDDLAW
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
acl:search = no
spoolss: architecture = Windows x64
idmap config * : range = 300000-400000
kccsrv:samba_kcc = False
dsdb:schema update allowed = no
nmbd_proxy_logon:cldap_server = 127.0.0.1
server role check:inhibit = yes
idmap config * : backend = tdb
acl allow execute always = Yes
admin users = administrator join-backup
include = /etc/samba/base.conf
kernel oplocks = Yes
map archive = No
vfs objects = dfs_samba4 acl_xattr


[netlogon]
case sensitive = No
comment = Domain logon service
path = /var/lib/samba/sysvol/kiddlaw.lan/scripts
read only = No


[sysvol]
acl xattr update mtime = Yes
case sensitive = No
path = /var/lib/samba/sysvol
read only = No


[homes]
browseable = No
comment = Heimatverzeichnisse
create mask = 0700
directory mask = 0700
hide files = /windows-profiles/
read only = No
vfs objects = acl_xattr


[printers]
browseable = No
comment = Drucker
create mask = 0700
path = /tmp
printable = Yes


[print$]
comment = Printer Drivers
include = /etc/samba/shares.conf
path = /var/lib/samba/drivers
read only = No
write list = root Administrator @Printer-Admins

Fileserver smb.conf, samba = Version 4.10.1-Univention

[global]
bind interfaces only = Yes
deadtime = 15
debug pid = Yes
interfaces = lo ens3
ldap server require strong auth = allow_sasl_over_tls
logging = file
logon drive = I:
logon home = \\FS01\%U
logon path = \\FS01\%U\windows-profiles\%a
machine password timeout = 0
map to guest = Bad User
max log size = 0
max open files = 32808
max xmit = 65535
name resolve order = wins host bcast
obey pam restrictions = Yes
passdb backend = samba_dsdb
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*password*changed*
preferred master = Yes
printcap name = cups
realm = KIDDLAW.LAN
server role = active directory domain controller
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
server string = Univention Corporate Server
template homedir = /home/%D-%U
template shell = /bin/bash
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem
tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key
tls verify peer = ca_and_name
usershare max shares = 0
winbind separator = +
workgroup = KIDDLAW
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
acl:search = no
spoolss: architecture = Windows x64
idmap config * : range = 300000-400000
kccsrv:samba_kcc = False
dsdb:schema update allowed = no
nmbd_proxy_logon:cldap_server = 127.0.0.1
server role check:inhibit = yes
idmap config * : backend = tdb
acl allow execute always = Yes
admin users = administrator join-backup
include = /etc/samba/base.conf
kernel oplocks = Yes
map archive = No
vfs objects = dfs_samba4 acl_xattr


[netlogon]
case sensitive = No
comment = Domain logon service
path = /var/lib/samba/sysvol/kiddlaw.lan/scripts
read only = No


[sysvol]
acl xattr update mtime = Yes
case sensitive = No
path = /var/lib/samba/sysvol
read only = No


[homes]
browseable = No
comment = Heimatverzeichnisse
create mask = 0700
directory mask = 0700
hide files = /windows-profiles/
read only = No
vfs objects = acl_xattr


[printers]
browseable = No
comment = Drucker
create mask = 0700
path = /tmp
printable = Yes


[print$]
comment = Printer Drivers
include = /etc/samba/shares.conf.d/sharedData
path = /var/lib/samba/drivers
read only = No
write list = root Administrator @Printer-Admins


[sharedData]
access based share enum = Yes
hide unreadable = Yes
path = /srv/shares/sharedData
read only = No
veto files = /.Trashes/._*/.DS_Store/
vfs objects = acl_xattr full_audit

Thanks in advance!

Eric