In the past (most noticeable since the upgrade from 4.1 to 4.2 and especially now since 4.2.11) we had some trouble with id mappings on our DC, which also acts as file server. At first we used the default winbindd. When we made a getent or id call for a user/group, then for some accounts it returned the unix id (10000+) and for some the internal id (300000+). Because of this and problems with ACLs we switched to the internal winbind. Now mappings via NSS (getent, id, ...) seem to be consistent and always return the unix ids. But when we set permission under Windows, this process eventually (only in some cases) still uses the internal ids and writes them to the ACLs. We then have to manually add the correct unix user/group id to the ACLs, so the user can use the folder in the way he should.
Created attachment 12008 [details] Glabal section of smb.conf
Closing this, this was undoubtedly caused by an incorrectly configured smb.conf (half DC and half Unix domain member)