missing owner@: and user: ACL entries for created files/folders from Windows

[kazak]

Hi,
I encountered strange problem after going to Nas4Free 10 (currently on 10.2.0.2.1814)
when creating files or folders from Windows client the security permissions looks fine from Windows, but checking on FS level it seems there is some problem.

There is no owner@ acl entry for the file/folder. Instead there is a group:{owner} acl entry
Also all user:{username} acl entries inherited from parent are transferred to group:{username} acl entries
It is quite strange and there is some strange problems with normal users accessing their shares, etc.
As I said from Windows, looking at Security permissions of created objects everything looks fine, but on FS level permissions are set incorrectly.

Have someone experienced same problem, and know a fixup for this behavior?

Joining to AD domain is successful and all AD users and groups are recognized/mapped
I have following settings for the share:
writeable = yes
printable = no
veto files = /.snap/.sujournal/
hide dot files = yes
guest ok = no
inherit permissions = yes
inherit acls = yes
vfs objects = shadow_copy2 zfsacl recycle aio_pthread acl_xattr
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
shadow:format = auto-%Y%m%d-%H%M%S
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
veto files = /.zfs/
inheritpermissions=Yes
inheritacls=Yes
inheritowner=Yes
maparchive=No
mapreadonly=no
vfs objects=zfsacl
nfs4:mode=special
nfs4:acedup=merge
nfs4:chown=yes
admin users = @domain_admins
acl group control = yes
nt acl support = yes
create mode = 0660
directory mode = 0770


and following settings for global in smb4.conf
server role = standalone
encrypt passwords = yes
security = ads
max protocol = SMB3
dns proxy = no
# Settings to enhance performance:
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
socket options = TCP_NODELAY SO_SNDBUF=128480 SO_RCVBUF=128480
# End of performance section
unix charset = UTF-8
store dos attributes = yes
local master = no
domain master = no
preferred master = no
os level = 0
time server = no
guest account = ftp
map to guest = Never
max log size = 100
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log level = 1
dos charset = CP1251
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
passdb backend = tdbsam
allow trusted domains = no
idmap config * : backend = tdb
idmap config * : range = 10000-39999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-39999
realm = domain.net
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind normalize names = yes
template homedir = /mnt
template shell = /bin/sh
aio read size = 65536
aio write size = 65536
bind interfaces only = yes
interfaces = re0
#log file = /var/log/samba/log.%m
#ntlm auth = no
#syslog only = no
template homedir = /mnt/data/users/%U
template shell = /bin/fails


Regards,
Kazak

[kazak]

it seems nfs4:mode set to special should do this, but obviously it does not, at least for my case

nfs4:mode = [ simple | special ]
Controls substitution of special IDs (OWNER@ and GROUP@) on ZFS. The use of mode simple is recommended. In this mode only non inheriting ACL entries for the file owner and group are mapped to special IDs.

The following MODEs are understood by the module:
• simple(default) − use OWNER@ and GROUP@ special IDs for non inheriting ACEs only.
• special(deprecated) − use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs.