Domain admins seem to be exempt from ACLs with smbd
As a domain admin, I get full read/read/execute permission regardless of the ACL set. My dataset currently has aclmode=passthrough and aclinherit=passthrough (not that it should matter). I set ACLs explicitly, both through NFS clients and through Windows' security dialog (both which seem to otherwise take effect for non-DA users), and yet still have full access through Windows as the DA (but not as the DA through Kerberized NFS4).
I would think this is a security bug. The DA should, at the very worst, need to adjust the ACLs, which can generate an audit event.
Updated by Adam Stylinski 12 days ago
Does this behavior match Windows' behavior? It just doesn't jive with how ACLs usually operate. At the very least, it's inconsistent with NFS4 ACLs, which as you'd imagine, have no notion of a super admin. Does samba do this when joined to a domain rather than explicitly setting an "admin users" list in their local user database?
Updated by Adam Stylinski 8 days ago
Just tried sharing a file on Windows 10 to another windows host with permission share permissions but an ACL on a file was restricted in such a way that only the owner could do anything with it. I received access denied from the domain admin's access (the file is owned by an otherwise ordinary user).
This is definitely a bug in that it doesn't match Windows' behavior.