samba - May 2008 - Administrator Maps winbind GID to 100 (sys)

Samba 3.0.22a (with backports from up to 3.0.25) on HP-UX 11iv3 (HP CIFS 
Server), "security=ADS" to W2003R2 domain, winbind running with
"idmap
backend = rid:", and "root = DOMAIN+Administrator" in
username.map.

 From Administrator on a domain Vista client, using Explore to map a 
share and then set an ACL from Properties/Security/Permissions, I choose 
a Windows group from the list to add to the directory ACL.  The winbind 
GID is 12011.  The correct groupname is displayed in the Explorer 
window, but when doing a getacl from unix, the GID is 100, or sys - the 
Administrator home group.

So I went to /var/opt/samba/locks and deleted all of the cache files and 
restarted - same result.

If I set the directory to a different owner, and add the same GID with a 
different client user, then the correct winbind GID is added to the ACL.

Any idea why Administrator=root maps the sys GID to a winbind group 
name?  Log entry and smb.conf below.  Thanks,

Eric Roseme

[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1318)
   local_sid_to_gid: Fall back to algorithmic mapping
[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1325)
   local_sid_to_gid: mapping: 
S-1-5-21-463747597-202940698-2940076759-1201 -> 100
[2008/05/14 09:57:02, 10] passdb/lookup_sid.c:sid_to_gid(1245)
   sid_to_gid: S-1-5-21-463747597-202940698-2940076759-1201 -> 100
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1453)
   create_canon_ace_lists: adding dir ACL:
   canon_ace index 0. Type = allow SID = 
S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S
MB_ACL_GROUP perms r-x
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1511)
   create_canon_ace_lists: adding file ACL:
   canon_ace index 0. Type = allow SID = 
S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S
MB_ACL_GROUP perms r-x




-------------- next part --------------
# Samba config file created using SWAT
# from 16.93.45.222 (16.93.45.222)
# Date: 2006/04/28 10:10:56

# Global parameters
[global]
	workgroup = SNSLATC
 	realm = SNSLATC.HP.COM
	server string = Samba Server
	interfaces = xx.xxx.xxx.xx
	bind interfaces only = Yes
        netbios name = SERVER14   
	security = ADS             
	client schannel = No
	server schannel = No
	password server = SNSLATC-DC.SNSLATC.HP.COM
	log level = 10
	log file = /var/opt/samba/log.%m
        username map = /etc/opt/samba/username.map
	max log size = 1000
	machine password timeout = 300
	local master = No
	wins server = xx.xxx.xxx.xx
	ldap ssl = no
 	idmap uid = 10000-20000
 	idmap gid = 10000-20000
        idmap backend = rid:SNSLATC=10000-20000
	template homedir = /home/%U
        template shell = /usr/bin/sh
 	winbind separator = +
        winbind use default domain = yes
        allow trusted domains = no
        winbind enum users = yes
        winbind enum groups = yes
	read only = No
	short preserve case = No
  	dos filetime resolution = Yes
#        use kerberos keytab = yes

[homes]
	comment = Home Directories
	valid users = %S
	browseable = No

[tmp]
	comment = Temporary file space
	path = /tmp

[sbx_interface]
      path = /home/sbx_interface