When using admin users = '@DOM+Domain Admins' and adding a user of this group with full access to a share (using WinNT Server Manager) the user may not access the share. Error message: denied due to security descriptor. Volker Lendecke provided the following explaination: The list of SIDs is generated twice. During Session Setup and while accessing the share. During Session Setup everything is fine. Later the UID is replaced by 0. While accessing the share a new token is generated. This time the wrong RID is used.
probably not going fix this in Samba 3.