Reported by "Walkes, Dan" <dwalkes@tandbergdata.com>.

I've noticed a problem with Debian wheezy + samba 3.6.6 configured with
acl_xattr.  The following test sequence causes Windows Explorer to
report incorrectly ordered permission entries:
1)      Map a share as with "admin" user credentials  to a drive letter
on a Windows client
2)      Create a folder at the root of the share "rootfolder"
3)      Create a subfolder "subfolder1" under "rootfolder"
4)      Un-check "Include inheritable permissions from this object's
parent" in the windows security settings dialog for Windows Explorer on
the root folder
5)      Create a subfolder "subfolder2" under "subfolder1"
6)      Right-click with Windows Explorer and attempt to edit the
permissions of "subfolder2".  Windows Explorer pops up a message stating
"The permissions on subfolder2 are incorrectly ordered, which may cause
some entries to be ineffective."

This is reproducible on every Windows client system I've tried including
Windows 7, XP, Server 2008 R2 and Server 2003.
When incorrectly ordered, the permissions look like this as printed by
smbcacls smbcacls //localhost/20120821_3
rootfolder/subfolder1/subfolder2
REVISION:1
CONTROL:0x8004
OWNER:BIZNAS-H5\admin
GROUP:BIZNAS-H5\None
ACL:BIZNAS-H5\admin:ALLOWED/0x0/RWXDPO
ACL:Creator Owner:ALLOWED/OI|CI|IO|I/RWXDPO
ACL:BIZNAS-H5\None:ALLOWED/0x0/RWXDPO
ACL:Creator Group:ALLOWED/OI|CI|IO|I/RWXDPO
ACL:Everyone:ALLOWED/OI|CI|I/RWXDPO

For comparison, here is the same subfolder tree without performing step
4 above to un-check the "Include inheritable perimssions" box from
Windows explorer:
smbcacls //localhost/20120821_3 rootfolder/subfolder1/subfolder2
REVISION:1
CONTROL:0x8004
OWNER:BIZNAS-H5\admin
GROUP:BIZNAS-H5\None
ACL:BIZNAS-H5\admin:ALLOWED/0x0/RWXDPO
ACL:Creator Owner:ALLOWED/OI|CI|IO/RWXDPO
ACL:BIZNAS-H5\None:ALLOWED/0x0/RWXDPO
ACL:Creator Group:ALLOWED/OI|CI|IO/RWXDPO
ACL:Everyone:ALLOWED/OI|CI/RWXDPO admin@BizNAS-H5:/mnt/lvol0$

Note that the ACE entries are in the same order, however in the first
case where Windows reports incorrectly ordered ACE's Creator Owner,
Creator Group and Everyone ACE's include the "I" flag
SEC_ACE_FLAG_INHERITED_ACE
The share folder, rootfolder and subfolder1 permissions are as shown
below (steps 1 through 3)

smbcacls //localhost/20120821_3 rootfolder/..
REVISION:1
CONTROL:0x8004
OWNER:BIZNAS-H5\nobody
GROUP:Unix Group\root
ACL:BIZNAS-H5\nobody:ALLOWED/0x0/FULL
ACL:Unix Group\%naslocal%:ALLOWED/0x0/FULL ACL:Unix
Group\root:ALLOWED/0x0/FULL ACL:BIZNAS-H5\admin:ALLOWED/0x0/FULL
ACL:Everyone:ALLOWED/0x0/
ACL:Creator Owner:ALLOWED/OI|CI|IO/RWXDPO ACL:Creator
Group:ALLOWED/OI|CI|IO/RWXDPO ACL:Everyone:ALLOWED/OI|CI|IO/RWXDPO

smbcacls //localhost/20120821_3 rootfolder
REVISION:1
CONTROL:0x8004
OWNER:BIZNAS-H5\admin
GROUP:BIZNAS-H5\None
ACL:BIZNAS-H5\admin:ALLOWED/0x0/RWXDPO
ACL:Creator Owner:ALLOWED/OI|CI|IO/RWXDPO
ACL:BIZNAS-H5\None:ALLOWED/0x0/RWXDPO
ACL:Creator Group:ALLOWED/OI|CI|IO/RWXDPO
ACL:Everyone:ALLOWED/OI|CI/RWXDPO admin@BizNAS-H5:/mnt/lvol0$

smbcacls //localhost/20120821_3 rootfolder/subfolder1
REVISION:1
CONTROL:0x8004
OWNER:BIZNAS-H5\admin
GROUP:BIZNAS-H5\None
ACL:BIZNAS-H5\admin:ALLOWED/0x0/RWXDPO
ACL:Creator Owner:ALLOWED/OI|CI|IO/RWXDPO
ACL:BIZNAS-H5\None:ALLOWED/0x0/RWXDPO
ACL:Creator Group:ALLOWED/OI|CI|IO/RWXDPO
ACL:Everyone:ALLOWED/OI|CI/RWXDPO

Note that in each case flags OI|CI|IO are set on Creator Owner, Creator
Group and Everyone ACE's, however corresponding subfolders do not have
the "I" flag and SEC_ACE_FLAG_INHERITED_ACE set.  I would have expected
this to be set for each inherited permission.  Indeed Windows explorer
does mark these permissions as "Inherited From Z:\" where Z:\ is the
mapped share folder.

The value of subfolder1 after step 4 is:

smbcacls //localhost/20120821_3 rootfolder/subfolder1
REVISION:1
CONTROL:0x8d04
OWNER:BIZNAS-H5\admin
GROUP:BIZNAS-H5\None
ACL:BIZNAS-H5\admin:ALLOWED/I/RWXDPO
ACL:Creator Owner:ALLOWED/OI|CI|IO|I/RWXDPO
ACL:BIZNAS-H5\None:ALLOWED/I/RWXDPO
ACL:Creator Group:ALLOWED/OI|CI|IO|I/RWXDPO
ACL:Everyone:ALLOWED/OI|CI|I/RWXDPO

Note that when un-checking "Include inheritable permissions" and adding
existing permissions using Windows Explorer, Windows forces the "I"
SEC_ACE_FLAG_INHERITED_ACE flag on subfolder1 (and all subdirectories
below rootfolder) ACE's including the ACE entries "admin" and "None"
which were actually not inherited but created through the "Creator
Owner" ACE.

When viewing "Advanced Security Settings" on a folder with incorrectly
ordered permissions, Windows provides a "reorder" option.  Reordering
the ACE's results in the following permissions:

smbcacls //localhost/20120821_3 rootfolder/subfolder1/subfolder2
REVISION:1
CONTROL:0x8d04
OWNER:BIZNAS-H5\admin
GROUP:BIZNAS-H5\None
ACL:BIZNAS-H5\admin:ALLOWED/0x0/RWXDPO
ACL:BIZNAS-H5\None:ALLOWED/0x0/RWXDPO
ACL:BIZNAS-H5\admin:ALLOWED/I/RWXDPO
ACL:Creator Owner:ALLOWED/OI|CI|IO|I/RWXDPO
ACL:BIZNAS-H5\None:ALLOWED/I/RWXDPO
ACL:Creator Group:ALLOWED/OI|CI|IO|I/RWXDPO
ACL:Everyone:ALLOWED/OI|CI|I/RWXDPO

Note that all "I" SEC_ACE_FLAG_INHERITED_ACE's are listed below entries
with inherit flags cleared - I'm guessing this was the reason for the
incorrect ordering message in Windows.  I'm not sure why this is
required by Windows and I haven't come up with a scenario where
permissions are actually ineffective due to this ordering.

Assuming it is a requirement to order permissions in this way, I think
I've noticed two problems which are either samba bugs or some other
problem with my configuration which I've not yet identified.
 1) ACE's are not ordered based in SEC_ACE_FLAG_INHERITED_ACE's to
include all permissions with "I" values at the end of the ACE list.
 2) Although permissions on folders are marked with OI|CI|IO flags
appear to inherit properly from Windows, the "I" flag is not set in
corresponding ACE's.
My smb.conf configuration is below.  I haven't found anything in the man
page for smb.conf which would explain this behavior.  I've experimented
with turning off vfs_acl_xattr with this change to smb.conf:
#       vfs objects = acl_xattr
        dos filemode = yes
        inherit acls = yes
        force unknown acl user = yes
However in this case I've noticed that Windows does not indicate
permissions are inherited ("Include inheritable permissions from this
object's parent is un-checked") and I'd prefer a configuration which
mimics Windows server implementation as closely as possible.

Full smb.conf configuration:
[global]
        workgroup = WORKGROUP
        security = user
        server string = %h server
        obey pam restrictions = Yes
        pam password change = Yes
        unix password sync = Yes
        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        local master = No
        domain master = No
        dns proxy = No
        socket options = TCP_NODELAY
        panic action = /usr/share/samba/panic-action %d
        idmap alloc config: range = 10000-100000
        idmap uid = 10000 - 100000
        idmap gid = 10000 - 100000
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = No
        winbind refresh tickets = Yes
        store dos attributes =  yes
        ea support = yes
        vfs objects = acl_xattr
        passdb backend = tdbsam
        username map = /etc/samba/smbusers
        encrypt passwords = yes
        map to guest = Bad User
        deadtime = 5
        include = /etc/samba/dhcp.conf

[20120821_3]
        comment =
        path = /tmp/testshare3
        map acl inherit = Yes
        map archive = No
        map read only = No
        security mask = 0777
        create mask = 0640
        directory mask = 0750
        delete readonly = yes
        directory mode= 0777
        create mode= 0777
        acl map full control = True
        read only = Yes
        invalid users =
        valid users = "@%naslocal%" "admin"
        read list =
        write list = "@%naslocal%" "admin"