>Enable ACL support for the SMB share. Disabling ACL support for a share deletes that ACL.
This is incorrect. Disabling ACL support does _not_ remove an ACL from the share.
The checkbox disables NT ACL support (security tab in Windows), and puts us into a state where we fake up an Windows SD for internal purposes in samba based exclusively on the POSIX mode.
Share access is denied if a non-trivial ACL (one that can be expressed as a POSIX mode without loss of information) is on the path, but we don't actively strip ACLs (because that's not safe).
This is explicitly stated in a graphical warning that pops up when the box is unchecked and the path has a non-trivial ACL on it.
> An ACL is detected on the selected path but Enable ACL is not selected for this share. ACLs must be stripped from the dataset prior to creating an SMB share.
To give a bit more detail. Suppose you have a situation where you're sharing the same dataset via NFSv3 and SMB. You want to coordinate permissions between the two of them from the client perspective. If you strip the ACL from the share, then POSIX mode gets presented to the NFS client via normal process and this accurately represents the state of permissions to the NFS client. If ACL is disabled on the SMB side, an SMB client _cant_ set something that isn't representable to the NFS client. In this case the inverse of the write bits are represented as the DOS "readonly" mode.