If this ACL is set with 'samba-tool ntacl sysvolreset': O:BAG:SYD:AI(A;ID;0x001200a9;;;AU)(A;OICIIOID;GRGX;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;GRGX;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;WOWDGRGWGX;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;WOWDGRGWGX;;;CO) and immediately read it back with 'samba-tool ntacl sysvolcheck', I get this: O:BAG:SYD:AI(A;ID;0x001200a9;;;AU)(A;OICIIOID;GRGX;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;GRGX;;;SO)(A;ID;0x001f01ff;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO) These two ACES: (A;ID;0x001e01bf;;;BA)(A;OICIIOID;WOWDGRGWGX;;;BA) Have Become (A;ID;0x001f01ff;;;BA)(A;OICIIOID;GA;;;BA) And (A;OICIIOID;WOWDGRGWGX;;;CO) Has become (A;OICIIOID;GA;;;CO) If you check from Windows, you get the same ACL as 'sysvolcheck' It seems that set_nt_acl from source3/smbd/posix_acls.c isn't setting the correct ACL.
Not sure if this is related to bug 12363 which refers to fset_nt_acl_common in source3/modules/vfs_acl_common.c