I am getting a permission denied when trying to ls as a domain user a 
samba mount with windows ACLs (sigh I thought I had this figured out).? 
I tried to include self descriptive server names and include them in the 
info below (fs1: file server, nc: addc, u2gui: ubuntu desktop)
    CARLSON\peter at u2gui:~$ ls -l /mnt
    ls: cannot access '/mnt/test': Permission denied
    total 0
    d????????? ? ? ? ???????????? ? test
I followed the wiki 
here:https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
... well at least I think I did.
File Server smb.conf:
    fs1:/data/test$ more /etc/samba/smb.conf
    [global]
    server string = %h server (Samba, Ubuntu)
     ?? log file = /var/log/samba/log.%m
     ?? max log size = 1000
     ?? logging = file
     ?? panic action = /usr/share/samba/panic-action %d
    log level = 3
    kerberos method = secrets and keytab
    realm = CARLSON.LAB
    workgroup = CARLSON
    template homedir = /home/%U@%D
    template shell = /bin/bash
    security = ads
    idmap config CARLSON : range = 2000000-2999999
    idmap config CARLSON : backend = rid
    idmap config * : range = 10000-999999
    idmap config * : backend = tdb
    vfs objects = acl_xattr
    map acl inherit = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    winbind offline logon = yes
    winbind enum groups = no
    winbind enum users = no
    apply group policies = yes
    #======================= Share Definitions ======================    [Test]
     ??? path = /data/test
     ??? comment = test
     ??? writable = yes
then set SeDiskOperatorPrivilege
    root at nc1:~# net rpc rights list privileges SeDiskOperatorPrivilege
    -U carlson\\peter
    Password for [CARLSON\peter]:
    SeDiskOperatorPrivilege:
     ? CARLSON\Domain Admins
CARLSON\peter at fs1:/data$ getfacl test
    # file: test
    # owner: root
    # group: CARLSON\\videousers
    user::rwx
    user:root:rwx
    user:CARLSON\\videousers:rwx
    group::rwx
    group:CARLSON\\domain\040admins:rwx
    group:CARLSON\\videousers:rwx
    mask::rwx
    other::rwx
    default:user::rwx
    default:user:root:rwx
    default:group::r-x
    default:group:CARLSON\\domain\040admins:r-x
    default:mask::rwx
    default:other::r-x
root at fs1:/data# samba-tool ntacl get /data/test --as-sddl
    lp_load_ex: refreshing parameters
    Initialising global parameters
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
    (16384)
    Processing section "[global]"
    Processing section "[Test]"
    Initialising default vfs hooks
    Initialising custom vfs hooks from [/[Default VFS]/]
    Initialising custom vfs hooks from [acl_xattr]
    load_module_absolute_path: Module
    '/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so' loaded
    connect_acl_xattr: setting 'inherit acls = true' 'dos filemode  
true' and 'force unknown acl user = true' for service Unknown
    Service (snum == -1)
   
O:S-1-22-1-0G:S-1-5-21-33300784-995546578-3414580312-1121D:AI(A;OICI;FA;;;S-1-22-1-0)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;DA)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;DA)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)
The share mounts and I am a member of the correct groups
    CARLSON\peter at u2gui:~$ cat /etc/fstab
    //fs.carlson.lab/test /mnt/test cifs
    credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0
    //fs.carlson.lab/test on /mnt/test type cifs
   
(rw,relatime,vers=3.1.1,sec=ntlmssp,cache=strict,multiuser,domain=CARLSON.LAB,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.52,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,_netdev)
    CARLSON\peter at u2gui:~$ id
    uid=2001107(CARLSON\peter) gid=2000513(CARLSON\domain users)
    groups=2000513(CARLSON\domain
   
users),10000(BUILTIN\administrators),10001(BUILTIN\users),2000512(CARLSON\domain
    admins),2000572(CARLSON\denied rodc password replication
    group),2001107(CARLSON\peter),2001108(CARLSON\linux
    admins),2001120(CARLSON\videoadmin),2001121(CARLSON\videousers)