Problem: AD bound 10.6.x Macs were experiencing problems connecting to SMB shares on Windows servers. Users could not connect to the shares, or it would take several minutes to open/browse folders.
Cause: It was found that the issue happens when there is a folder or file on the share for which the security list includes an “Unknown SID”. When listing the content of the share, the OS X Directory Service plugin attempts to resolve all SIDs to AD objects. In this case, the plugin encounters a “Unknown SID” and expends 60 seconds attempting to resolve the SID. Once 60-second timeout is reached, the plugin skips the entry and will list the share contents. Now, if there are multiple files or folders of “Unknown SIDs”, the time for listing the content will multiply base on how many of these “Unknown SIDs” on there thus explaining the different delay time users are experiencing.
Test indicates that once these “Unknown SIDs” are removed from the affected file/folder, the speed of SMB will return to normal. The mount and content listing of the share will take seconds instead of minutes.
Apple will take the finding back to their product engineering to determine how they might be able to mitigate the timeout issue from OS X.
The problem of resolving this issue for server administrators is that it is not practical to identify these “Unknown SIDs” and remove them manually. After some research, it seems that Microsoft has a tool to do this.
SUBINACL - Display or modify Access Control Entries (ACEs) for file and folder Permissions, Ownership and Domain.
Download the MSI and install it to your file server. You can then run it using the following syntax. It will removed all the “Unknown SIDs” from the files and folders you specify.
subinacl /subdirectories X:\* /cleandeletedsidsfrom=IPGNA