Dataset ACL / SMB - create but no delete doesn't work still

I have a shared dataset, with user datasets underneath.
i.e. /shared/user1, /shared/user2, etc.

The users are supposed to be able to create files/folders, but not be able to delete on windows clients
The admin user (user2), should have full admin

File: user1

owner: 1001

group: 1001

mode: 0o40711

trivial_acl: false

ACL flags: none
user:user1:----Dd--------:fd-----:deny
user:user1:rwxp--aARWc--s:fd-----:allow
owner@:rwxpDdaARWcCos:fd-----:allow
everyone@:--x---a-R-c---:fd-----:allow
user:user2:rwxpDdaARWcCos:fd-----:allow

User1 can’t create folders/files in Shared - correct
User1 can create files, but can’t delete file in any folder under /shared/user1 - correct
User1 can’t create folders, or delete folders in any folder under /shared/user1 - PROBLEM
FYI - without the explicit deny rule, the user is able to delete the files they create.

As profession Julius Sumner Miller says…. Why is it so?

TN26% touch foo    
TN26% chmod 000 foo
TN26% stat foo
  File: foo
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 0,49	Inode: 4997        Links: 1
Access: (0000/----------)  Uid: ( 3000/ smbuser)   Gid: ( 3000/ smbuser)
Access: 2026-05-25 12:02:34.851120267 -0700
Modify: 2026-05-25 12:02:34.851120267 -0700
Change: 2026-05-25 12:02:37.535175736 -0700
 Birth: 2026-05-25 12:02:34.851120267 -0700
TN26% rm -f foo
TN26% 

It’s the way things have always worked. FWIW the owner of a file always has enhanced privileges regarding it. This is the same across basically all operating systems.

1 Like