if the owner of a file has exec permission, then cifs vfs seems to generally grants exec permission on files where ACL does not actually grant exec permission. Example: bjacke@cifstest1:/mnt3/a$ getcifsacl test.txt REVISION:0x1 CONTROL:0x8c04 OWNER:S-1-5-21-4207148185-4040488370-1588356217-500 GROUP:S-1-5-21-4207148185-4040488370-1588356217-513 ACL:S-1-5-21-4207148185-4040488370-1588356217-500:ALLOWED/I/FULL ACL:S-1-5-21-4207148185-4040488370-1588356217-513:ALLOWED/I/R ACL:BUILTIN\Users:ALLOWED/I/R I'm connected with a user who is just in the Users group and I *can* execute the test.txt file. This should not be allowed. Only Administrator (S-1-5-21-4207148185-4040488370-1588356217-500) has execute permission according to the ACL.