[Samba] ACL not working

[slan buas]

Using Samba+winbind 3.3.8 as a fileserver on a Win2008 domain. getent
and wbinfo is reporting correct informations about users. However, my
groups directories are allowing people who shouldn't .. From the shell
everything is working as expected, but not from samba.. What did I
miss !?

Exported share:  /export/users
drwxr-x---+ 7 root root 4096 Mar 18 14:57 group    # (teams directories)
                                           \---- tech
                                            \--- prod

- Working from shell
# su prod-user
$ ls tech/
ls: tech/: Permission denied

- Not working from smbclient
# smbclient -U prod-user //fileserver/share
Domain=[FOO] OS=[Unix] Server=[Samba 3.3.8-0.52.el5_5.2]
smb: \> cd group/tech/
smb: \group\tech\>

----------
Group
--
# getent group | grep prod-user
prod:*:10004:prod-user,(...)

----------
Acls
--
# file: group
# owner: root
# group: root
user::rwx
group::r-x
group:domain\040users:r-x
mask::r-x
other::---


# file: group/tech
# owner: root
# group: root
user::---
group::---
group:tech:rwx
mask::rwx
other::---
default:user::---
default:group::---
default:group:tech:rwx
default:mask::rwx
default:other::---

----------
Build options
--
# smbd -b | grep -i acl
   HAVE_SYS_ACL_H
   HAVE_ACL_LIBACL_H
   HAVE_POSIX_ACLS
   vfs_acl_tdb_init
   vfs_acl_xattr_init
    pdb_ldap pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_winreg
rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2
rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog2 rpc_samr
idmap_ldap idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam
auth_unix auth_winbind auth_server auth_domain auth_builtin
vfs_default vfs_posixacl

----------
smb.conf
--

[global]
   workgroup = FOO
   realm = FOO.BAR
   local master = no
   domain master = no
   preferred master = no
   server string = SOVO File Server
   security = ads
   encrypt passwords = yes
   password server  = dc1.foo.bar, dc2.foo.bar
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   load printers = no
   printcap name = /dev/null
   disable spoolss = yes
   show add printer wizard = no
   client ntlmv2 auth = yes
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind refresh tickets = yes
   winbind reconnect delay = 15
   winbind separator = +
   winbind cache time = 120
   winbind nss info = rfc2307
   winbind offline logon = true
   passdb backend = tdbsam
   idmap negative cache time = 120
   idmap cache time = 900
   idmap config FOO : backend = ad
   idmap config FOO : readonly = yes
   idmap config FOO : schema_mode = rfc2307
   idmap config FOO : range = 10000-4000000000
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   nt acl support = no
   acl check permissions = true
   acl compatibility = auto
   acl group control = no
   acl map full control = false


[share]
   path = /export/users
   writable = yes
   browseable = yes
   hide unreadable = yes
   hide dot files=yes
   hide files=/lost+found/
   valid users = @tech @man @prod