samba - Jan 2020 - ACL inheritance not working as expected.

Hello list!
For some reason ACL inheritance is not working on my FS. Anytime anyone
creates a folder/file under a share, the permissions are not inherited.
My system is a 2DC + a FS running samba 4.10.10. Everything self compiled
running on Debian Buster.
Several shares were created according to
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

By adding the following lines to the [global] section I forced samba to
inherit permissions, but I thought that this was deprecated and that map
acl inherit was the only thing needed.
inherit acls = yes
inherit owner = yes
inherit permissions = yes

Any ideas?

My smb.conf for the FS:
[global]
        security = ADS
        workgroup = EUROHIDRA
        realm = EUROHIDRA.LOCAL
        netbios name = EHFS
        interfaces = lo br0
        bind interfaces only = yes
        log file = /var/log/samba/%U.log
        log level = 1
        username map = /usr/local/samba/etc/user.map

        local master = no
        time server = no
        wins support = no

        idmap config EUROHIDRA : backend = ad
        idmap config EUROHIDRA : range = 10000-999999
        idmap config EUROHIDRA : schema_mode = rfc2307
        idmap config EUROHIDRA : unix_nss_info = yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        winbind use default domain = yes
#       winbind enum groups = yes
#       winbind enum users = yes
        winbind nss info = template
        template shell = /bin/bash
        template homedir = /home/%U

        vfs objects = acl_xattr
        map acl inherit = yes

        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        winbind refresh tickets = Yes

#only for ext4. remove for other FS's
        strict allocate = yes

        smbd profiling level 1
        min receivefile size = 16384
        use sendfile = yes
        server min protocol = SMB2
        write cache size = 65536

#For 4 minutes to release lock (Outlook remember?)
socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15

        load printers = no
        printcap name = /dev/null

[Tecnico]
        comment = Departamento Tecnico
        writeable = yes
        path = /mnt/disco2/Users/Tecnico
        vfs objects = full_audit
        full_audit:prefix = %u|%I
        full_audit:failure = none
        full_audit:success = mkdir rmdir pread pwrite unlink sendfile
rename op$
        full_audit:facility = LOCAL5
        full_audit:priority = NOTICE

On 07/01/2020 22:25, Carlos Jesus via samba wrote:
> Hello list!
> For some reason ACL inheritance is not working on my FS. Anytime anyone
> creates a folder/file under a share, the permissions are not inherited.
> My system is a 2DC + a FS running samba 4.10.10. Everything self compiled
> running on Debian Buster.
> Several shares were created according to
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> By adding the following lines to the [global] section I forced samba to
> inherit permissions, but I thought that this was deprecated and that map
> acl inherit was the only thing needed.
> inherit acls = yes
> inherit owner = yes
> inherit permissions = yes
>
> Any ideas?
>
> My smb.conf for the FS:
> [global]
>          security = ADS
>          workgroup = EUROHIDRA
>          realm = EUROHIDRA.LOCAL
>          netbios name = EHFS
>          interfaces = lo br0
>          bind interfaces only = yes
>          log file = /var/log/samba/%U.log
>          log level = 1
>          username map = /usr/local/samba/etc/user.map
>
>          local master = no
>          time server = no
>          wins support = no
>
>          idmap config EUROHIDRA : backend = ad
>          idmap config EUROHIDRA : range = 10000-999999
>          idmap config EUROHIDRA : schema_mode = rfc2307
>          idmap config EUROHIDRA : unix_nss_info = yes
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>
>          winbind use default domain = yes
> #       winbind enum groups = yes
> #       winbind enum users = yes
>          winbind nss info = template
>          template shell = /bin/bash
>          template homedir = /home/%U
>
>          vfs objects = acl_xattr
>          map acl inherit = yes
>
>          kerberos method = secrets and keytab
>          dedicated keytab file = /etc/krb5.keytab
>          winbind refresh tickets = Yes
>
> #only for ext4. remove for other FS's
>          strict allocate = yes
>
>          smbd profiling level 1
>          min receivefile size = 16384
>          use sendfile = yes
>          server min protocol = SMB2
>          write cache size = 65536
>
> #For 4 minutes to release lock (Outlook remember?)
> socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4
TCP_KEEPINTVL=15
>
>          load printers = no
>          printcap name = /dev/null
>
> [Tecnico]
>          comment = Departamento Tecnico
>          writeable = yes
>          path = /mnt/disco2/Users/Tecnico
>          vfs objects = full_audit
>          full_audit:prefix = %u|%I
>          full_audit:failure = none
>          full_audit:success = mkdir rmdir pread pwrite unlink sendfile
> rename op$
>          full_audit:facility = LOCAL5
>          full_audit:priority = NOTICE
You have turned off ACLs on 'Tecnico' by adding 'vfs objects = 
full_audit' to the share, remove it and add 'full_audit' to the
'vfs
objects' line in global, or add 'acl_xattr' to the 'vfs
objects' line in
the share.

Rowland