samba - Sep 2007 - member server config problem

Hi,

I'm settin up a member Server in a samba domain. (both 3.0.24)

getent passwd/group shows all user and groups
wbinfo -u/g shows user and groups
net groupmap list shows all groups correctly

Here's the testparm output:

Server role: ROLE_DOMAIN_MEMBER

[global]
        workgroup = AAG
        server string = FILES (%v)
        security = DOMAIN
        password server = 192.168.100.72
        passdb backend = ldapsam:ldap://192.168.100.72/
        log level = 10
        log file = /var/log/samba/%m.log
        name resolve order = host wins bcast
        deadtime = 15
        keepalive = 0
        load printers = No
        preferred master = No
        local master = No
        domain master = No
        wins server = 192.168.100.72
        ldap admin dn = cn=admin,dc=aag
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=computers
        ldap suffix = dc=aag
        ldap user suffix = ou=users
        panic action = /etc/samba/panic-action %d
        idmap backend = ldap:ldap://erde.aag
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        read only = No
        create mask = 0770
        force create mode = 0770
        directory mask = 0770
        force directory mode = 0770
        inherit acls = Yes
        map acl inherit = Yes
        strict sync = Yes
        sync always = Yes
        use sendfile = Yes
        veto oplock files = /*.mdb/
        delete readonly = Yes
        dos filemode = Yes
        msdfs root = No

[Homes]
        path = /userdata/%S
        invalid users = root, admin, bin, daemon, sys, sync, lp, mail, news, 
uucp, proxy, www-data, backup, irc, sshd, man, identd, bacula, nobody, 
Debian-exim
        create mask = 0700
        directory mask = 0700
        browseable = No
Then all the shares....

ACLS are enabled in fstab

I have /groupdata with all groupshares and /userdata for homes.
/groupdata is actually owned by me.domain_admins

I can set acls from linux with
setfacl -R -d -m g:group:rwx folder

unfortunately I cannot change permissions from windows, not as domain-root nor 
as me even if I am in the domain_admins group and privileges are activated I 
get a permission denied message. I also don't see the acls I set for
"group"
under windows even if linux shows them correctly.

I'm afraid it is something very stupid I don't see, but I would be very 
gratefull if somebody could point me to the error.

Please let me know what logs I should append

tia,

Angela