[Samba] ACLS without winbind (but WITH correct user mapping)

[Colin Fowler]

Thanks to some of the guys on #samba-technical (obnox in particular!), I 
now have a working samba configuration.

The environment:

In our setup each user has an entry in both openldap (no samba schemes) 
and AD. Each account has the same name and even has a Unix UID entry in 
AD. Our users ssh into Linux boxes, authenticating off of openldap. 
Files are shared via samba.
Due to the account duplication the config I use has NO winbind. Instead 
the username map script option is used with echo
username map script = echo
A rather simple but beatiful solution thanks to the IRC lads. User "bob" 
auths via AD, the AD username is mapped to unix username and file 
permissions work perfectly.

ACLS:
The filesystem supports ACLS. When I view the security tab on a Windows 
7 client, I see the user perissions as following

Everyone
bob (Unix User\bob)
staff (Unix Group\staff)


If I add an acl for tom on the unix server via setfacl I then see

Everyone
bob (Unix User\bob)
tom (Unix User\tom)
staff (Unix Group\staff)

Great!

Attempting to add a user to the ACLs from the windows side fails however.
I click edit, then add and type in a username
In the box I now have

bob (Unix User\bob)
tom (Unix User\tom)
nigel (DOMAIN\nigel)
staff (Unix Group\staff)

Note the DOMAIN and not "Unix User". Clicking apply simply makes the new 
entry disappear.

If username mapping is working correctly, why does adding an ACL for 
DOMAIN\nigel not set an ACL for Unix User\nigel?


Any help appreciated!

Colin