samba - Mar 2022 - permissions weirdness

So, I'm baffled.
Here's what I've got - hopefully I haven't forgotten anything.

testparm output
---
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

[global]
        min domain uid = 0
        realm = AD.ABC.LOCAL
        security = ADS
        server role = member server
        server string = FileServer
        username map = /etc/samba/user.map
        workgroup = AD
        acl_xattr:ignore system acls = yes
        idmap config ad : range = 10000-999999
        idmap config ad : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr


[shared-files]
        comment = user-profiles
        path = /abc-zfs-01/ad-shared-folders/shared-files/
        read only = No
        acl_xattr:ignore system acls = yes


---
I have removed all the system.NTACL files. (Though I never saw any of
these, anyway.)

Set initial POSIX perms
setfacl --recursive --remove-all  folder
chown -R root:"AD\Domain Admins" folder
chmod -R 0775 folder

In the "shared-files" share - I have a base-folder.

Then I have an IT folder.

In the IT folder I grant AD\GS full control.

(Using the Windows file explorer. Rt click folder, properties | Security
tab | Advanced | Permissions tab;
Add, select principle AD\GS, Allow,  This folder, subfolders and files,
full control, OK. Inheritance is disabled. "Replace all child
objects...:checked"
The share permisions are; everyone, full control.)

(AD\GS is a user account; though I started with a group which GS was a
member of, with the same results)

On a Windows AD joined station, I logout and login as GS.
I can go into the IT folder.
I can edit a text file, created by the administrator account.
I can delete that file.
But I *can't* create a new file or directory?

But I *can* open permissions and add another group/user with full
permissions to the IT folder. !?!
---

Wha?
How can this be?
I'm about to douse myself with gasoline and light up!

Permissions are totally wonky.
I've done this before on other setups, and I've never had this happen.

Addl Deets:
Ubuntu 20.04, running 4.15.6 (Louis' repo)
The disks where the shares reside are ZFS, though I don't think this
matters.
DNS works.
Genent returns users and groups fine.
Time is synced.

I'm completely at a loss for what's going on.
Anyone?

Ok, 

Set initial POSIX perms

setfacl --recursive --remove-all  folder
chown -R root:"AD\Domain Admins" folder
chmod -R 2775 folder


Folder	2775 root:"AD\Domain Admins"  , everone has access only because
the last 5.


folder/IT   2770 root:"AD\IT", 		, "AD\Domain Admins"
inherits, you Add "Domain Users" RW and "AD\IT" RWX
folder/IT						  and add "Creator Group" full control 

(* assuming AD\IT is a group) 

Where "AD\Domain Admins" is the manager of the folders.. 
"AD\IT" is the security group to controle acces in/out.  *( all except
full control )
 "Domain Users" is used and gets the rights on files *( primary group
is domain users)  *( all except full control )

Full control is only needed if you want these user to have the ability to change
the rights.

Try above. 

And, i suggest, remove acl_xattr:ignore system acls = yes in the Global and
share first.
Then try above, not your expected result, the add it back on the share only. 
Then check/set rights again.. 

Test again. 

Greetz, 

Louis