samba - Apr 2019 - Problems getting POSIX ACL working on upgraded samba file server Ubuntu 16.04 LTS to 18.04 LTS

Running a Samba 4 AD DC on Ubuntu 18.04, and fileservers on 18.04.  Our access
control needs are rather simple and worked well under the samba 3 series with
LDAP users and groups so we plan to keep using the POSIX ACL (regular filesystem
access controls)

On a fresh install file server(18.04) samba 4 with POSIX ACLs work with no
issue, but I can't get the permissions to work properly on the upgraded
server (samba 4 Ubuntu 16.04 - upgraded to samba 4 Ubuntu 18.04) .
We are using winbind nss info = rfc2307 and have configured UID and GID for the
accounts that will have access.  Granted when recreating the accounts on the new
samba 4 DC (small network of 25 users was easier to recreate accounts rather
than migrate from samba3) we set the GID and UID the same as they had in the
LDAP prior so that we didn't have to remap UID and gids for share files and
folders.

I have a share where the user and group *should* be able to read and write to
folders via shell and windows file explorer.  But they can't.  It seems that
the owner aspects of the ACL work properly, but the group aspects don't. 
They don't work via shell or windows file explorer.  All shares on this
upgraded server exhibit the same problem.  The ACLs were never tested when the
server was running version 16.04 that I remember.

The same configuration on a fresh Ubuntu 18 file server install works great both
in shell and windows file explorer.
Both these command return same values on both servers.
getent passwd DOMAIN\\username
getent group DOMAIN\\usernamegrp

dpkg -l |grep samba
# shows the same version on both servers
ii  python-samba
ii  samba
ii  samba-common
ii  samba-common-bin
ii  samba-dsdb-modules
ii  samba-libs:amd64
ii  samba-vfs-modules

dpkg -l |grep winbind
# shows the same version on both servers
ii  libnss-winbind:amd64
ii  libpam-winbind:amd64
ii  libwbclient0:amd64
ii  winbind

smb.conf is the same on both servers also.

Any advice?
Winbind cache ?

Thanks
        Derek

Derek Werthmuller
Director of Technology Innovation and Services
CTG UAlbany
518.442.3892
www.ctg.albany.edu<http://www.ctg.albany.edu/>

On Tue, 9 Apr 2019 13:21:02 +0000
"Werthmuller, Derek via samba" <samba at lists.samba.org> wrote:
> Running a Samba 4 AD DC on Ubuntu 18.04, and fileservers on 18.04.
> Our access control needs are rather simple and worked well under the
> samba 3 series with LDAP users and groups so we plan to keep using
> the POSIX ACL (regular filesystem access controls)
> 
> 
> smb.conf is the same on both servers also.
> 
You have left out the main thing (though you have hinted at it) that
might help, the smb.conf files. Can you please post the smb.conf files
from the DC and the fileservers.

Rowland