Was experimenting with some ACL editing issues that our testers reported, and ran into an interesting issue.
When you add an ACE for a remote user (ie a user on the Samba server) in Windows Explorer's ACL editor (see e.g. https://medschool.duke.edu/sites/medschool.duke.edu/files/upload/explorer_users_computers.jpg)
Our testers noticed (and I confirmed with e.g. Samba 4.5, on Fedora etc.) that if you try to add an ACE for a user (in my case a user defined on the remote system, ie Samba server) from Windows 8.1 (among others) it fails, but for Windows 10 (and Windows 2012R2, and our testers reported it worked with Windows 2016 too) it works.
Comparing wireshark traces:
2) getinfo on lsarpc
3) lsa_OpenPolicy2 (only on Windows 10)
4) lsa_LookupNames (only on Windows 10)
1) Open Windows Explorer on Windows 8.1 Client
2) Navigate to remote SMB Storage share (where Client and Server are joined to the same domain)
3) Right-click folder and select Properties
4) Select Security tab, click Edit…
5) Click Add… to enter new permissions
6) Enter the objects names to select, type a user name valid on the the remote system (Samba server, but not a valid local user) and click "check names"
For the working case (e.g. Windows 2012R2) it filled in the user name - changing "admin" to "192.168.93.17\admin" - but the failing case (Windows 8.1 for example) it returned "Name Not Found"
Created attachment 12666 [details]
wireshark trace of failure
Created attachment 12667 [details]
wireshark trace of success
also asked dochelp at Microsoft for any ideas why client behavior differs here