samba - Nov 2020 - Group with RWX acl cannot delete as file/dir owned by user with RWX

Thank you for any help with this:
Using xattr so that I can manage a domain joined Samba server share
with AD permissions.  The underlying OS file perms are 777 and I have
set the share with -R a+w to make sure that permissions for owner and
group are the same.  Getfacl returns:

# file: deleteme.txt

# owner: root
# group: group_access 
user::rwx

group::rwx

group:group_access:rwx

mask::rwx

other::rwx
>From Windows, if I try to delete the file in the share it throws back
that the file is owned by Unix User\root and cannot be deleted without
permission.  I am a member of group_access on AD and should have full
rights over the file.  What have I done wrong?  This is affecting all
shares and files.  If I use the Windows Share management and set
permissions then it'll work fine until new files and folders are added.
Version 4.9.5-Debian
smb.conf (with a little redaction):----------------------------------
-----#======================= Global Settings ======================


[global]

        log level = 1

        writeable = yes

        delete veto files = yes

        map acl inherit = yes

        inherit acls = yes

        create mode = 0666

        pam password change = yes

        username map = /etc/samba/user.map

        map to guest = bad user

        #winbind enum users = yes

        security = ADS

        log file = /var/log/samba/log.%m

        idmap config company : backend = rid

        realm = COMPANY.LTD

        passwd program = /usr/bin/passwd %u

        vfs objects = acl_xattr

        server string = Catapult Server

        #store dos attributes = yes

        winbind use default domain = yes

        passdb backend = tdbsam

        panic action = /usr/share/samba/panic-action %d

        delete readonly = yes

        acl_xattr:ignore system acls = yes

        server role = member server

        dns proxy = no

        workgroup = COMPANY 
        unix extensions = no

        obey pam restrictions = yes

        unix charset = UTF-8

        idmap config * : range = 3000-7999

        veto files /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
Trash
Folder/Temporary
Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/._.DS_Store/.DS_S
tore/

        force directory mode = 02777

        usershare allow guests = yes

        idmap config * : backend = tdb

        max log size = 1000

        protocol = SMB2

        directory mode = 02777

        force create mode = 0666

        unix password sync = yes

        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

        idmap config company : range = 10000-999999

        template shell = /bin/bash

        template homedir = /home/%U

        wide links = no

        #winbind enum groups = yes

        load printers = no

        printing = bsd

        printcap = /dev/null

        disable spoolss = yes



## Browsing/Identification ###



# Change this to the workgroup/NT-domain name your Samba server will
part of



# This will prevent nmbd to search for NetBIOS names through DNS.



#### Debugging/Accounting ####





# If you are using encrypted passwords, Samba will need to know what

# password database type you are using.   






############ Misc ############



# Some defaults for winbind (make sure you're not using the ranges

# for something else.)

#   idmap uid = 10000-20000

#   idmap gid = 10000-20000



# Allow users who've been granted usershare privileges to create

# public shares, not just authenticated ones



# Templates for shell and home



# Usr Map





#socket options = SO_SNDBUF=33554432 TCP_NODELAY



#======================= Share Definitions ======================


[BorgRecovery]

       path = /mnt/borgrecovery

       read only = yes

       guest ok = yes

       writable = no



[ArgononEnvy]

       path = /srv/samba/CompanyShare 
       read only = no



-------------------------------------------
How do I defeat the file ownership with the group being able to also
delete?
Regards
Karl

On 03/11/2020 12:26, G33k pHr33k via samba wrote:
> Thank you for any help with this:
> Using xattr so that I can manage a domain joined Samba server share
> with AD permissions.  The underlying OS file perms are 777 and I have
> set the share with -R a+w to make sure that permissions for owner and
> group are the same.  Getfacl returns:
Try reading this: 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

I have read through that and that's where I'm at now.  I cannot
understand why I have permissions fighting and the group permissions
are being trumped by the owner.

Regards

Karl

-----Original Message-----
From: Rowland penny via samba <samba at lists.samba.org>
Reply-To: Rowland penny <rpenny at samba.org>
To: samba at lists.samba.org
Subject: Re: [Samba] Group with RWX acl cannot delete as file/dir owned
by user with RWX
Date: Tue, 3 Nov 2020 14:08:27 +0000

On 03/11/2020 12:26, G33k pHr33k via samba wrote:
> Thank you for any help with this:Using xattr so that I can manage a
> domain joined Samba server sharewith AD permissions.  The underlying
> OS file perms are 777 and I haveset the share with -R a+w to make
> sure that permissions for owner andgroup are the same.  Getfacl
> returns:
Try reading this: 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland