• An Active Directory domain is configured for vSAN File Services
  
  
• Some users from a second Active Directory domain (which is in a trust relationship with the congifured domain) can access Samba shares provisioned from vSAN File Services
  
  
• Subsequently addiitonal users users from this second Active Directory domain cannot access some of the Samba shares 

VMware vSAN 8.0 U3

By design vSAN file services supports configuring a single AD domain, and does not support authentication of other trusted domains within an AD forest. See Limitations and Considerations of vSAN File Service

While the configured domain has a large user mapping range (10000-1073751823), users from a second trusted domain will leverage the small default mapping range intended for local users (3000-7999). This small range may become fully used. 

Verification:

Fileservices VMs smb configuration:

e.g. /vmfs/volumes/vdfsDatastore/vdfs_root_fs/########-####-####-####-############/volumes/########-####-####-####-############/default/########-####-####-####-############/<FileServicesVmName>/etc/smb.conf
[global]
...
realm = <AD Domain>
workgroup = <AD Domain Alias>
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config vdieglv : backend = rid
idmap config vdieglv : range = 10000-1073751823

On File Services VM, logs report:
cat /log/samba_logs/log.winbindd-idmap 
[<timestamp>, L1, pid=223, cls=idmap] idmap_tdb_common_allocate_id_action(line 66) Fatal Error: UID range full !! (max: 7999)

All Active Directory users accessing vSAN File Services Samba file shares need to be configured to be from the single Active Directory domain configured on vSAN File Services.