📖 ~1 min read
Table of contents
Symptom & Impact
Domain users cannot access print or file shares despite valid Kerberos tickets.
Environment & Reproduction
Observed after AD domain migration or smb.conf rewrite on SLES 15 file servers.
Root Cause Analysis
Share or filesystem ACLs do not include the new domain SIDs after migration.
Quick Triage
Validate ticket cache with `klist` and try `smbclient -L localhost -U user`.
Step-by-Step Diagnosis
Check `getfacl` on the share path and inspect `smb.conf` for `valid users` directives.
Solution – Primary Fix
Refresh ACLs with `setfacl` or `sambacl` and update `valid users` to use SID-based references.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Use ID mapping config to keep UIDs/GIDs stable across the domain.
Verification & Acceptance Criteria
Domain users mount, list, and write to expected shares.
Rollback Plan
Restore previous ACL state from backup if access becomes too permissive.
Prevention & Hardening
Capture share ACL inventory and review during AD migrations.
Related Errors & Cross-Refs
Pairs with `NT_STATUS_ACCESS_DENIED` events in samba logs.
Related tutorial: View the step-by-step tutorial for sles-15.
View all sles-15 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
SUSE Samba and Active Directory integration documentation.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
