Bug 1465388

samba-4.4.4-14.el7_3.x86_64
samba-client-libs-4.4.4-14.el7_3.x86_64
samba-common-4.4.4-14.el7_3.noarch
samba-common-libs-4.4.4-14.el7_3.x86_64
samba-common-tools-4.4.4-14.el7_3.x86_64
samba-libs-4.4.4-14.el7_3.x86_64

after the security updates above while navigate through smb shares you get dandomly on the second or third subfolder a "permission denied" and in case of Konqueror on a Fedora machine you where asekd again for the password of the share while on MacOS the folder appears to be empty

since this affects two different machines running CentOS7 with current updates but *not* Fedora machines this smells like a backporting problem on the RHEL packages

since the permissions and POSIX ACL's on at least one of both affected machines are set recursive with a script it's impossible that there is a filesystem pmerissions problem underlying 
_______________________________

[global]
 server string = example.thelounge.net
 netbios name = example
 smb ports = 445
 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

 interfaces = 192.168.196.111
 bind interfaces only = yes

 hosts allow = 192.168.196.18 192.168.196.30 192.168.196.99 192.168.196.107 192.168.196.131 192.168.196.200 192.168.196.201 192.168.196.202 192.168.196.203 192.168.196.204 192.168.196.205 192.168.196.206 192.168.196.207 192.168.196.208 192.168.196.209 192.168.196.210 192.168.196.211 192.168.196.212 192.168.196.213 192.168.196.214 192.168.196.215 192.168.196.216 192.168.196.217 192.168.196.218 192.168.196.219 192.168.196.220 192.168.196.221 192.168.196.222 192.168.196.223 192.168.196.224 192.168.196.225 192.168.196.226 192.168.196.227 192.168.196.228 192.168.196.229 192.168.196.230 192.168.196.231 192.168.196.232 192.168.196.233 192.168.196.234 192.168.196.235 192.168.196.236 192.168.196.237 192.168.196.238 192.168.196.239 192.168.196.240 192.168.196.241 192.168.196.242 192.168.196.243 192.168.196.244 192.168.196.245 192.168.196.246 192.168.196.247 192.168.196.248 192.168.196.249 192.168.196.250 192.168.196.251
 hosts deny = all
 hide files = /.AppleDesktop/.AppleDouble/.Parent/desktop.ini/$RECYCLE.BIN/
 veto files = /.AppleDesktop/.AppleDouble/.Parent/desktop.ini/$RECYCLE.BIN/
 delete veto files = yes

 access based share enum = yes
 hide unreadable = yes
 inherit permissions = yes
 inherit acls = yes
 nt acl support = no
 nt pipe support = yes
 browseable = yes
 writeable = yes
 guest ok = no
 wide links = no
 follow symlinks = no
 oplocks = no
 level2 oplocks = no
 vfs objects = catia fruit streams_xattr
 ea support = yes

 workgroup = LOUNGE
 lm announce = no
 lanman auth = no
 ntlm auth = no
 client lanman auth = no
 client ntlmv2 auth = yes
 client signing = auto
 server signing = auto
 security = user
 restrict anonymous = 2
 invalid users = nobody root admin administrator guest gast pcguest anonymous
 log file = /var/log/samba/samba.log
 log level = 1 auth:2 passdb:2 tdb:1 vfs:1 smb:1 locking:1 sam:1 winbind:1 idmap:1 quota:1 acls:0 msdfs:1 dmapi:1 registry:1 printdrivers:0 lanman:0 rpc_parse:0 rpc_srv:0 rpc_cli:0
 max log size = 4096
 os level = 0
 domain master = no
 preferred master = no
 local master = no
 disable netbios = yes
 wins support = no
 browse list = no
 dns proxy = no
 multicast dns register = no
 name resolve order = hosts bcast
 max smbd processes = 50
 use sendfile = yes
 read raw = yes
 write raw = yes
 getwd cache = yes
 stat cache = yes
 max stat cache size = 256
 ldap ssl = no
 time server = no
 unix extensions = no
 show add printer wizard = no
 load printers = no
 printable = no
 printing = bsd
 printcap name = /dev/null

[smb-share]
 path = /srv/smb
 valid users = reindl
 force group = smb-users