samba - Apr 2017 - Access denied to change share security staff

Hello all;
I have problem with shares in a domain member used as file server (I want to use
it like that)
I check from samba wiki some test that you suggest and all have been pass well.
I try to make a new share using POSIX ACL and still not access.
To make the share and apply the permissions and owners:

[root at gtmpve lib]# mkdir -p /compartido/prueba/
[root at gtmpve lib]# chmod 2770 /compartido/prueba/
[root at gtmpve lib]# chown root:"ATGTM00\domain admins"
/compartido/prueba/

My smb.conf look lik that:

[root at gtmpve lib]# cat /etc/samba/smb.conf 
[global]
netbios name = gtmpve
security = ADS
workgroup = ATGTM00
realm = GTM.ONAT.GOB.CU

log file = /var/log/samba/%m.log
log level = 10

idmap config *:backend = tdb
idmap config *:range = 3000-7999

idmap config ATGTM00:backend = rid
idmap config ATGTM00:range = 10000-999999

winbind nss info = template
winbind enum groups = yes
winbind enum users = yes

template shell = /bin/bash
template homedir = /home/%U

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
create mask = 0666
directory mask = 0777
dos filemode = yes
acl allow execute always = yes

guest account = nobody
map to guest = Bad User

server string = Servidor de archivos #2
server role = member server
local master = no
domain master = no
preferred master = no

load printers = no
printcap name = /dev/null
disable spoolss = yes

[prueba]
path = /compartido/prueba/
read only = no
valid users = +ATGTM00\"Domain Users"

The /etc/krb5.conf is like this:

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = GTM.ONAT.GOB.CU

This are some of the test and results:

[root at gtmpve lib]# getent passwd 'ATGTM00\rommel'
ATGTM00\rommel:*:11144:10513:Rommel Rodriguez Toirac:/home/rommel:/bin/bash

[root at gtmpve lib]# wbinfo --ping-dc
checking the NETLOGON for domain[ATGTM00] dc connection to
"gtmad.gtm.onat.gob.cu" succeeded

[root at gtmpve lib]# getent hosts gtmpve
192.168.41.16 gtmpve.gtm.onat.gob.cu gtmpve

Rommel Rodriguez Toirac
rommelrt at nauta.cu

Reading the messages from the list with subject "Dir ACL through windows
and chmod" I run the commands that Rowland say and this are the results:

[root at gtmpve /]# getfacl /compartido/prueba
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: compartido/prueba
# owner: root
# group: ATGTM00\134domain\040admins
# flags: -s-
user::rwx
group::rwx
other::---

[root at gtmpve /]# ls -lad /compartido/prueba
drwxrws---. 2 root ATGTM00\domain admins 6 abr 10 11:01 /compartido/prueba
 
 With getfacl the result is just this short, while in the other samba4 domain
member that I use like file server (this work fine) when I run this command for
a share this is the result:
 
 [root at gtmdato ~]# getfacl /mnt/samba/salva_usuarios
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: mnt/samba/salva_usuarios
# owner: root
# group: ATGTM00\134domain\040admins
user::rwx
user:root:rwx
user:ATGTM00\134domain\040admins:rwx
group::rwx
group:ATGTM00\134domain\040admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:ATGTM00\134domain\040admins:rwx
default:group::rwx
default:group:ATGTM00\134domain\040admins:rwx
default:mask::rwx
default:other::r-x

[root at gtmdato ~]# ls -lad /mnt/samba/salva_usuarios
drwxrwxr-x+ 81 root ATGTM00\domain admins 4096 mar 17 09:57
/mnt/samba/salva_usuarios

 Why this diffents? what I be missing?
Rommel Rodriguez Toirac
rommelrt at nauta.cu

On Wed, 12 Apr 2017 15:37:14 -0400
Rommel Rodriguez Toirac via samba <samba at lists.samba.org> wrote:

>  Why this diffents? what I be missing?
You are missing the fact that you shouldn't mix using Unix permissions
and ACLs, it will not work. Use one or the other, preferably the
later, in fact if you use the DC as a fileserver, you MUST use the
later.

Follow these instructions here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Do not set any Unix permissions on the share dir manually.

Rowland