[Samba] Can't set ACLs on mounted share from windows

[Eric Diven]

On Samba 3.0.24, on Solaris 10, I can set ACLs from the command line
using setfacl and view them using getfacl.  When I look at the security
for the mounted share on Windows, I only see the owner, group and world
permissions.  I can modify those permissions, at least for world.  What
I can't do is add another user or group to the ACL.  I get the error

"Unable to save permission changes on directory on 'croesus running
samba (ipaddress)' (driveletter:).

Access is denied."

samba is compiled with ACL support, the fs and kernel support it.  I'm
logging in to the samba server as the owner of the file and directory
(whose UID comes from winbind, it's an AD user).  Both the user and it's
group is on the list of admin users in the share config.  I'm starting
to run out of ideas here to be honest.  Running at log level 2, I don't
see anything in the logs when I try to add a new user or group to the
ACL.  Any thoughts please?

~Eric

the relevant sections of the smb.conf file:

[global]
        workgroup = W2K3TEST
        realm = W2K3TEST.LOCAL
        server string = croesus running samba
        security = ADS
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        preferred master = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +

[afiles]
        path = /foo/afiles
        admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
        read only = No