[Samba] Samba not respecting directory acls inside a share

[Fabian Fritz]

Hi,

we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
with some share:

[refb]
path = /samba/refb
browseable = no
valid users = +"AM\refb_users"
writeable = yes
force user = AM\qui
force group = AM\refb_users

All the samba users and groups come from AD through nss_winbind.

Inside /samba/refb/ I created a sub directory test_a and set the owner
(in Solaris via chown) to AM\refba_users. I also set chmod 770. My
assumption would be that anyone that is a member of group refb_users
should be able to access the share and those who are also members of
the group refba_users should be able to read and write to the
directory test_a.

But actually when I access the share as a member of refb_users (which
works) on a Windows Client I am also able to access the directory
test_a, even though I am not a member of the owner group refba_users.
I would expect that Samba examines the POSIX owner group and denies
access to anyone who is not a member of that group.

Is this expected behavior? Is there some option I have to set in the
smb.conf that I've missed? I haven't looked into extended attributes
yet, but this doesn't seem like a very advanced requirement.

Thanks,
Fabian