samba - Oct 2017 - samba performance & ACL behavior

All,

I am building a glusterfs environment for file storage and need to use
ACL's.  The CentOS system is joined to AD.  We have ingested data into the
Gluster environment at /toplevel.

OS: CentOS 7.3
Glusterfs: 3.10.5
Samba:  4.4.4

smb.conf:

[global]
        workgroup = GROUP
        security = ADS
        realm = GROUP.DOMAIN.COM

        template homedir = /home/%U
        template shell = /bin/bash

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes

        map acl inherit = yes
        store dos attributes = yes
        vfs objects = acl_xattr
        inherit acls = yes
        inherit owner = yes
        inherit permissions = yes

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        idmap config GROUP : backend = rid
        idmap config GROUP : range = 1000000-1999999

[toplevel]
        vfs objects = glusterfs

        glusterfs:volume = vol
        glusterfs:logfile = /var/log/samba/glusterfs-vol.log
        glusterfs:loglevel = 7
path = /toplevel
        public = no
        writable = yes
        guest ok = no
        valid users =
@"group1",@"group2",@"group3"
        kernel share modes = no

*Question 1:*

*Are there any performance concerns with the above settings in the
smb.conf?*

The ACL's on /toplevel are:

# getfacl toplevel
# file: toplevel
# owner: root
# group: root
user::rwx
group::r-x
group:group1:rwx
group:group2:r--
group:group3:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:group1:rwx
default:group:group2:r--
default:group:group3:rwx
default:mask::rwx
default:other::r-x

When I create a directory under /toplevel directly on the Linux server as
root, the ACL's are:

# getfacl testing1
# file: testing1
# owner: root
# group: root
user::rwx
group::r-x
group:group1:rwx
group:group2:r--
group:group3:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:group1:rwx
default:group:group2:r--
default:group:group3:rwx
default:mask::rwx
default:other::r-x

However, when I create a directory under /toplevel via Windows as a user
from group1, the ACL's are:

# getfacl testing2
# file: testing2
# owner: root
# group: root
user::rwx
user:root:rwx
user:group1:rwx
user:group2:r--
user:group3:rwx
group::r-x
group:root:r-x
group:group1:rwx
group:group2:r--
group:group3:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:group1:rwx
default:user:group2:r--
default:user:group3:rwx
default:group::r-x
default:group:root:r-x
default:group:group1:rwx
default:group:group2:r--
default:group:group3:rwx
default:mask::rwx
default:other::r-x

*Question 2:*

*Can someone explain why creating the directory via Windows adds these
permissions:*

*user:group1:rwx*
*user:group2:r--*
*user:group3:rwx*

*default:user:root:rwx*
*default:user:group1:rwx*
*default:user:group2:r--*
*default:user:group3:rwx*

*Is this expected/needed or is there something I should modify to avoid
these additions?*

When I create a file under /toplevel directly on the Linux server as root,
the ACL's are:

# getfacl test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r-x #effective:r--
group:group1:rwx #effective:rw-
group:group2:r--
group:group3:rwx #effective:rw-
mask::rw-
other::r--

With:

-rw-rw-r--+ 1 root root 0 Oct  3 16:07 test.txt

When I create a file under /toplevel via Windows as a user from group1, the
ACL's are:

# getfacl test1.txt
# file: test1.txt
# owner: root
# group: root
user::rwx
user:root:rwx
user:group1:rwx
user:group2:r--
user:group3:rwx
group::r-x
group:root:r-x
group:group1:rwx
group:group2:r--
group:group3:rwx
mask::rwx
other::r-x

With:

-rwxrwxr-x+ 1 root root 0 Oct  3 16:09 test1.txt

*Question 3:*

*The file creation under /toplevel on the LInux server as root creates
'effective' permissions, can anyone explain why?*

*Question 4:*

*The file creation under /toplevel via Windows as a user from group1 adds **the
'user:group*:***' permissions (same question above), but also creates
the
'x' bit automatically for other.  We need this for access to newly
created
directories but don't necessarily love the idea of having execute
permissions for other by default on newly created files.  Is there any way
to address this?*

I apologize for the multiple questions and if some are not ideal for this
forum.  Any potential guidance is greatly appreciated, thanks in advance..

HB