According to the man page, vfs_acl_xattr should not modify the undelying system ACLs upon setting the NT ACLs, if "ignore system acls" is yes. In practice, vfs_acl_xattr (and vfs_acl_tdb - it's common code) always sets the underlying ACLs - UNIX permissions and POSIX ACLs. It ignores them only when fetching the NT ACL (not comparing to the underlying ACL). This has significance, for example, when emulating a Windows server. A Windows server, by default, does not check the "traverse folder" right (equivalent of the execute bit in UNIX) - this is configurable in local security policy, see "Bypass traverse checking" https://technet.microsoft.com/en-us/library/dn221950.aspx . If a user has no access to an outer folder, he can still access an inner folder if he has permissions for the inner folder. A way to emulate that would be to set a permissive UNIX permissions (0777) on folders, and enforce access via smbd only. However, since UNIX permissions are always modified to match the NT ACL, if the NT ACL of the outer folder does not have "traverse folder" right for the user, the POSIX ACL may also lack execute bit, denying access to the inner folder.
Created attachment 11936 [details] git-am fix for 4.4.next and 4.3.next
Comment on attachment 11936 [details] git-am fix for 4.4.next and 4.3.next LGTM.
Re-assigning to Karolin for inclusion in 4.4.next, 4.3.next.
(In reply to Jeremy Allison from comment #3) Pushed to autobuild-v4-[4|3]-test.
(In reply to Karolin Seeger from comment #4) Pushed to both branches. Closing out bug report. Thanks!