If a folder that has inherited deny permissions from its parent is given allow permissions, the following error is seen in the samba logs:
create_canon_ace_lists: malformed ACL in file ACL ! Deny entry after Allow entry. Failing to set on file <FILE>
This is easily reproducible by creating a folder, setting deny permissions for a specific user, creating another folder inside the previous one and setting allow permissions for the same user. Windows will throw a warning but will allow it, samba should be able to handle this condition.
This is seen when using vfc_acl_xattr.
Argh. Comment for #10489 should have been added here:
More info needed. A wireshark capture showing the ACL sent by the client would
help I think.