[Samba] Samba 4.0.8 on RHEL 6.2 how to grant permissions via Windows to unix users/groups?

[Kristy Kallback-Rose]

I have built from source Samba 4.0.8 on RHEL 6.2. 

I want users to be able to change permissions via Windows, but I don't see how to do that for the unix users and groups in the Windows permission screens. When I create a folder, for example, and right-click to get properties and click on the security tab I can see under "Group or user names:" Everyone, kallbac (Unix User\kallbac) and blah (Unix Group \blah)

However, when I click edit and try to add additional permissions I have our ADS server as the default "from this location" option and can change that to the server running Samba. However, I cannot select any groups using this option --none are returned and I get "An object named "blah" cannot be found…" even though the group is returned with getent group.

I am wondering if there is a problem between the username at ADS.IU.EDU returned from getent vs. the unix username that appear in the Windows permission, but I don't know how to resolve that. Any ideas?

Additional info below, let me know if something else is useful.

Thanks,
Kristy

I have a GPFS share with the following smb.conf settings:

[gpfs_export]
        comment = gpfs export
        path = /gpfs/gpfs_export
        public = yes
        writable = yes
        printable = no
	vfs objects = gpfs fileid
	idmap backend = tdb2
	fileid:mapping = fsname
	gpfs:sharemodes = No
	force unknown acl user = yes
	nfs4: mode = special
	nfs4: chown = yes
	nfs4: acedup = merge


I am using Kerberos/AD to authenticate and can connect to the share. Relevant settings are:

	workgroup = ADS
	security = ADS
	realm = ADS.IU.EDU
	password server = ads.iu.edu

passed and groups should be coming from files and ldap per nsswitch.conf:
passwd:     files ldap
group:      files ldap

For my own account I see:
getent passwd | grep kallbac
kallbac:{KERBEROS}kallbac at ADS.IU.EDU:12108:236:Kristy Kallback-Rose:/N/u/kallbac: