[Samba] Permissions at the top of a Samba share

[🦏 Peter Rindfuss]

Hi,

I have a question regarding permissions at the top of a share as seen
from a Windows 10 client.

We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with
one AD controller and one file server.

The top directory of our main share on the file server has, on the Linux
level, these permissions reported by getfacl:
# file: ...
# owner: root
# group: domain\040users
# flags: ---
user::rwx
group::r-x
other::---

i.e. there are no rights for "other" and no default entries in the Posix
ACL (i.e. there is no Posix ACL at all, just plain Linux permissions)

getfattr -d -e hex -m - ...
shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no
"user.SAMBA_PAI="

The Windows security editor, however, has two entries for "Everyone":
Allow Everyone None    'This folder only'
Allow Everyone Special 'Subfolders and files only', the special rights
being read permission.

I am wondering where the read permission for 'Subfolders and files only'
comes from as there is no trace of this on the Linux side.

Thanks, Peter