When I setup a basic file share on a DC and on a member server:
path = /srv/samba/Demo
read only = no
The folder is on XFS, owned by root:root and has permissions 755 on Linux side.
Behavior on the member server:
Connect to the share as domain admin, right-click and go to the "security" tab. Here I see "everyone" and two "root" entries. I click the "edit" button and remove the two "root" entries. When I click "apply", everything is reset (the two entries went back"). If i grant "modify" to "everyone" - where all "allow" entries are empty per default and click "apply", then all boxes are checked automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP" appear. And this two can't be removed as well any more.
Behaviour on a DC:
If I do exactly the same on a DC, then the security tab already shows on
opening very different settings. The wiki screenshot shows them: http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). Also whatever I change (like removing the two "root" entries from the ACLs), everything is done like expected and saved.
On the mailing list, Keith McCormick gave me the hint, that I should add
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = Yes
to my member servers smb.conf. With this VFS object and settings, the filesystem ACLs on the member server act the same as on a DC.
This is reproducable with 4.1.x and 4.0.x.
I already discussed that on the samba mailing list (http://samba.2283325.n4.nabble.com/File-share-permissions-act-different-on-member-server-than-on-DC-td4654993.html).
Is it expected, that the fileserver on a member server acts different and the VFS module is required to get ACLs working?
I'll close this bug report, as it seems to be an expected behaviour at the moment. I already have described this in the Member Server Wiki HowTo, too.