[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade

[Sebastian Arcus]

I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from 4.x 
(I'm afraid I'm not sure the exact earlier version) - and since then I 
just haven't managed to pin down the file permissions and inheritance on 
the shares as it's been constantly causing issues. This server is both a 
file server and a AD DC.

The current problem I am facing is the permissions of the lock file 
generated by Microsoft Access (.ldb). The Access database is on the 
server share. When one Windows client opens it, the .ldb file is created 
with group write permission (-rw-rw----). But when it is opened from 
another Windows machine, the .ldb file is created with group read-only 
permissions (-rw-r-----) - which locks other users out. There seems to 
be a mask applied, but I have no idea where is it coming from. Both 
client machines are Windows 7 - I just can't figure out the reason. It 
used to work fine before the Samba upgrade. The wrong acl's for the .ldb 
file look like this:

# file: praxis_be.ldb
# owner: HEBI\\user1
# group: HEBI\\domain\040users
user::rw-
user:root:rwx			#effective:r--
group::rwx			#effective:r--
group:HEBI\\domain\040users:rwx	#effective:r--
group:HEBI\\domain\040computers:r-x	#effective:r--
mask::r--
other::---


What I've tried:

1. I have set and reset the acl's on the Linux side for the share and 
parent dir (the lock file is in the root of the network share) - and 
made sure it doesn't have a mask:

# file: /srv/samba/praxis
# owner: root
# group: HEBI\\domain\040users
user::rwx
user:root:rwx
group::rwx
group:HEBI\\domain\040users:rwx
group:HEBI\\domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:HEBI\\domain\040users:rwx
default:group:HEBI\\domain\040computers:r-x
default:mask::rwx
default:other::---

2. I have set the "inherit acls = " and forced the masks in smb.conf:

[praxis]
path = /srv/samba/praxis
read only = No
create mask = 0660
directory mask = 0770
inherit acls = yes


What I can't understand is why is a mask applied when the .ldb file is 
created - and why is it different between the two Windows 7 machines (if 
it comes from the Windows side).

Any suggestions would be much appreciated.