NFSv4 ACLs include entries for special:owner and special:group. On a request to change the owner while keeping the existing ACL, these entries change their meaning. Consider a file owner by userA and an ACL entry granting access: Security Descriptor owner: userA ACL entry: userA FULL_ACCESS which can be mapped to a NFSv4 ACL: owner: userA ACL entry: special:owner FULL_ACCESS (meaning that userA has full access) Now changing only the owner should result in this Security Descriptor: owner: userB ACL entry: userA FULL_ACCESS (the ACL should not be modified) But the file with the above NFSv4 ACL will have: owner: userB ACL entry: special:owner FULL_ACCESS (meaning that now userB has full access) The fix will be to update the NFSv4 ACL on a request that only changes the owner.