We're really close!
We have authentication working. Users are able to login and get mapped to their home directories. When trying to access Samba shares, the logs identify the users correctly. But it won't allow them to access shares, sadly. Here's what we see in the smbd log:
[2017/11/09 15:18:19.023461, 2] ../source3/smbd/service.c:862(make_connection_snum) [computername] (ipv4:[ipaddress]:49438) connect to service department initially as user [domain]\[username] (uid=819220300, gid=817889793) (pid 32376) [2017/11/09 15:18:19.024516, 3] ../source3/smbd/service.c:198(set_current_service) chdir (/export/department) failed, reason: Permission denied
When doing an adquery on the username, the UID matches what shows in that log. When doing an adquery on the group Domain Users, we the GID matches what shows in that log.
The folder /export/department has 0770 permissions set, with the group set to an AD group with the GID of 819233074, quite different from the GID for Domain Users.
Now the adquery for the user shows that the user here is a member of the group on the folder. And an adquery on the group on the folder shows that the user is a member of that group.
My theory is that the user is getting Access Denied because Samba is only seeing the Domain Users group instead of the one that is assigned to the folder. I'm not sure entirely, and I have no idea how to get past this hurdle. I'm open to any ideas if someone has seen this before.