Attempting to modify an ACE with "smbcacls", when another ACE exists that applies to the same user, can lead to unintended removal of the ACE:
------------------------------
mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/CI/FULL
ACL:VPTC3\Domain Admins:ALLOWED/OI|IO/RWDPO
ACL:VPTC3\ptstest:ALLOWED/CI/READ
ACL:VPTC3\ptstest:ALLOWED/OI|IO/R
ACL:VPTC3\cifsuser:ALLOWED/CI/FULL
ACL:VPTC3\cifsuser:ALLOWED/OI|IO/RWDPO
mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes -M "ACL:VPTC3\ptstest:ALLOWED/CI/FULL"
mcrs3:/TCS # smbcacls //mcrs3/TCS /testdir -k yes
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\cifsuser
GROUP:VPTC3\Domain Users
ACL:VPTC3\Domain Admins:ALLOWED/CI/FULL
ACL:VPTC3\Domain Admins:ALLOWED/OI|IO/RWDPO
ACL:VPTC3\ptstest:ALLOWED/CI/FULL   # the "ALLOWED/OI|IO/R" ACE that applies to "VPTC3\ptstest" is missing
ACL:VPTC3\cifsuser:ALLOWED/CI/FULL
ACL:VPTC3\cifsuser:ALLOWED/OI|IO/RWDPO
mcrs3:/TCS #
------------------------------

The smbcacls man page states that the "-M" option should "Modify the mask value (permissions) for the ACEs specified on the command line", with no mention of the flags.  The ACE is defined as "ACL:<sid or name>:<type>/<flags>/<mask>".  In this case, my expectation is that for any ACE in which the name, type, and flags match, the mask will be updated.

It also seems incorrect that the entries are prefixed with "ACL" rather than "ACE".

My version of sernet-samba is 99:4.12.2-11.suse150.