[Samba] POSIX ACLs are not inherited after upgrade - behaviour changed?

[Henry Jensen]

I have several Samba servers running as (Samba) AD Domain members on
Devuan Ascii (= Debian 9) with Samba 4.5.x, using Posix ACLs

ACL Example of a directory share:

# getfacl .
# file: .
# owner: root
# group: root
# flags: -s-
user::rwx
group::rwx
group:mygroup:rwx
mask::rwx
other::---

Note that there is no default ACL


When I create a file foo in this directory using a SMB client the ACLs are
inherited:

# getfacl foo
# file: foo
# owner: root
# group: root
user::rwx
group::rw-
group:mygroup:rwx
mask::rwx
other::---


However, after an upgrade to Devuan 3 (same as Debian 10) with Samba 4.9,x
this behaviour changed and the ACLs are not inhrited, just the standard Unix
group and user are inherited.


# getfacl foo
# file: foo
# owner: root
# group: root
user::rwx
group::rw-
other::---


As you can see, mygroup is missing, which means, that users belonging to
mygroup (including the creator of the file) can't see or access the file. 

However, if an default ACL is applied to the directory, the old behaviour is
restored and all "mygroup" users can access the file.

My question is: Was this change in behaviour intended? I haven't found
anything about this in the Samba release notes from 4.6.0 to 4.9.0.

I have used POSIX ACLS and Samba since the old Samba 3.x times and there were
never the need to use default ACLs. It was my impression, that 

inherit permissions = yes
inherit acls = yes

would be enough to inherit ACLs.


The relevant parts in smb.conf:

[global]
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes


[myshare]
path = /data/myshare
public = no
writeable = yes
hide unreadable = yes
create mask = 1660
directory mask = 1770
inherit owner = yes
inherit permissions = yes
inherit acls = yes
acl group control = yes
map acl inherit = yes



Regards,

Henry