AD User ACEs added as Group ACEs from Windows

When managing the Active Directory ACL permissions for either a dataset or a directory via an SMB share the permissions that get added for a user are listed in the ACL editor and via nfs4xdr_getfacl as being for a group not for a user.

The permissions do seem to work successfully from the Windows side since there doesn’t seem to be any differentiation between users and groups there. However the ACL when viewed on the TrueNAS side appears incorrectly for each user added from the Windows side, if you try and make a change to any of the entries the ACL cannot be saved without first remaking each of the incorrect ACEs that should be users instead of groups.

I initially experienced this with TrueNAS SCALE ElectricEel on our TrueNAS Mini-R at work where we are running Samba AD as our Active Directory service, I thought this might be an incompatibility with Samba AD so I retested with Windows Server 2022 running a brand new AD forest with the same results, I have also tested with CORE 12, CORE 13, Dragonfish, and the latest Fangtooth build.

Is this a known bug when trying to manage ACLs from both TrueNAS and Windows? I am preparing a large directory structure migration from an old non-TrueNAS based fileserver to TrueNAS and would like to make sure I don’t run into issues when setting up all of the ACLs, it would be my preference to manage all of the ACLs from the TrueNAS side since the company I work for doesn’t do much with Windows and is primarily running macOS clients, but TrueNAS doesn’t have an inbuilt ACL editor for directories only for datasets, and I can’t manage permissions only at the dataset level since TrueNAS doesn’t allow dataset names to contain spaces which our existing directory structure has. I have tried using nfs4xdr_setfacl -e path to modify the ACL from terminal but found that it then doesn’t like DOMAIN\Domain Users to have a space in it either.

I thought it might be best to see if there were any recommendations before I have to learn how to write directly to the TrueNAS API.

Thank you for any guidance you can provide.