samba - Apr 2007 - Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)

I cannot set rights on a arbitrary file or folder for the Windows
predefined group "Authenticated Users" (which has SID S-1-5-11) via
SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.

Everything else works:
- I can set rights for any other domain group.
- I can read the ACL entry for "Authenticated Users" in the Windows
2000
File Attribute Dialog if I set it manually with setfacl before
- I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
existence of this predefined group.

What am I doing wrong? Is this supposed to work?
Is there a workaround or any other suitable mapping for this group?

In the "Unofficial Samba + ACL Howto", there is a reference (chapter
3.1.4) that this might not work, but that was back in 2003 and 4 years
have passed since then.

Kind regards for any hint,

Jens

P.S: smb.conf output from testparm, nt acl support = Yes is also set
(testparm does not show it)

[global]
        dos charset = ISO-8859-1
        unix charset = ISO-8859-1
        display charset = ISO-8859-1
        workgroup = XXX
        realm = XXX.TEST
        security = ADS
        password server = xxx.xxx.test
        passdb backend = tdbsam
        guest account = samba
        name resolve order = host wins bcast
        idmap uid = 1000-60000
        idmap gid = 1000-60000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nss info = rfc2307
        ldapsam:trusted = Yes
        admin users = XXX\\Administrator
	ea support = Yes
        map acl inherit = Yes
        hide dot files = No
        map hidden = Yes
        map readonly = permissions
        dos filemode = Yes

[homes]
        comment = Home Directories
        read only = No
        browseable = No
        preexec = mkdir -m 700 %P

[shared]
        comment = ACL shared folder
        path = /export/shared
        read only = No
        create mask = 0777
        directory mask = 0777

On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen
wrote:
> I cannot set rights on a arbitrary file or folder for the Windows
> predefined group "Authenticated Users" (which has SID S-1-5-11)
via
> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
> 
> Everything else works:
> - I can set rights for any other domain group.
> - I can read the ACL entry for "Authenticated Users" in the
Windows 2000
> File Attribute Dialog if I set it manually with setfacl before
> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
> existence of this predefined group.
> 
> What am I doing wrong? Is this supposed to work?
> Is there a workaround or any other suitable mapping for this group?
> 
> In the "Unofficial Samba + ACL Howto", there is a reference
(chapter
> 3.1.4) that this might not work, but that was back in 2003 and 4 years
> have passed since then.
What fails ? Selecting the user in the GUI ? More info on
exactly what isn't working would be good.

Jeremy.