ACL always sets group execute permissions on files (Samba)

I have some users in the "sambashare" group and some in the "sambashareAdmin" group. Only users from the "sambashareAdmin" group are alowed to change/create stuff. All files should belong to haegarthehorrible:sambashare. No matter if I create them on the server or if I move/copy them to the server. The problem is that all files get execute permissions on the group (670/-rw-rwx---) and not 660/-rw-rw---- if the Windows workstation user (paradise) does it. I tried "obey pam restrictions" with yes and no in samba what makes no difference. I also tried "create mask" and "directory mask" or "force create mode and "force directory mode" or both together. I tried chmod g+s and g+s,u+s. I tried complicated stuff like: ~$ sudo chmod -R a-x,u=rX,g=rX,u+w,g+w /mnt/pool/Share/Backup ~$ sudo chmod -R a-x,u=rwX,g=rwX /mnt/pool/Share/Backup And also funny ist that if I use "rwX" instead of "rw" (chmod or setfacl) I get execute on the owner permissions. I thought X does only set it on directories? So here is what now looks really complicated and still does not work. Remember this are all directories that already have files/directories in it. ~$ sudo nano /etc/samba/smb.conf [global] server string = Harvester server role = standalone server server min protocol = SMB2 workgroup = WORKGROUP interfaces = lo enp0s31f6 bind interfaces only = yes logging = file log file = /var/log/samba/log.%m max log size = 1000 load printers = no show add printer wizard = no disable netbios = yes dns proxy = no deadtime = 30 smb ports = 445 smb encrypt = off security = user obey pam restrictions = yes panic action = /usr/share/samba/panic-action %d use sendfile = yes directory mask = 2750 create mask = 0640 access based share enum = yes map to guest = bad user guest account = shareguest [Backup] path = /mnt/pool/Share/Backup guest ok = no browseable = no create mask = 0660 directory mask = 2770 force group = sambashare force user = haegarthehorrible write list = @sambashareAdmin valid users = haegarthehorrible paradise inherit acls = Yes Set Permissions: ~$ sudo chown -R haegarthehorrible:sambashare /mnt/pool/Share/Backup ~$ sudo setfacl -R -b -k -n /mnt/pool/Share/Backup # Remove ACL ~$ sudo chmod -R g+s,u+s /mnt/pool/Share/Backup ~$ sudo chmod 0770 /mnt/pool/Share/Backup ~$ sudo find /mnt/pool/Share/Backup -type f -exec chmod 660 {} \; ~$ sudo find /mnt/pool/Share/Backup -type d -exec chmod 2770 {} \; ~$ sudo setfacl -R -d -m u::rw,g::rw,u:haegarthehorrible:rw,g:sambashareAdmin:rw /mnt/pool/Share/Backup # ACL for new items ~$ sudo setfacl -R -m u:haegarthehorrible:rw,g:sambashareAdmin:rw /mnt/pool/Share/Backup # ACL for old/existing items sambashareAdmin Members: ~$ members sambashareAdmin haegarthehorrible paradise sambashare Members: ~$ members sambashare shareguest watcher Share Root Folder Permissions: ~$ ls -ld /mnt/pool/Share drwxr-xr-x 7 root root 4096 Aug 7 2023 /mnt/pool/Share ~$ stat /mnt/pool/Share Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root) ~$ getfacl /mnt/pool/Share # file: mnt/pool/Share # owner: root # group: root user::rwx group::r-x other::r-x Share Permissions: ~$ ls -ld /mnt/pool/Share/Backup drwsrws---+ 5 haegarthehorrible sambashare 4096 Apr 25 2022 /mnt/pool/Share/Backup ~$ stat /mnt/pool/Share/Backup Access: (6770/drwsrws---) Uid: (1000/haegarthehorrible) Gid: (996/sambashare) ~$ getfacl /mnt/pool/Share/Backup # file: mnt/pool/Share/Backup # owner: haegarthehorrible # group: sambashare # flags: ss- user::rwx group::rwx other::--- default:user::rw- default:user:haegarthehorrible:rw- default:group::rw- default:group:sambashareAdmin:rw- default:mask::rw- default:other::--- File Permissions: ~$ ls -l /mnt/pool/Share/Backup/Test.txt -rw-rwx---+ 1 haegarthehorrible sambashare 0 Feb 11 07:18 /mnt/pool/Share/Backup/Test.txt ~$ stat /mnt/pool/Share/Backup/Test.txt Access: (0670/-rw-rwx---) Uid: (1000/haegarthehorrible) Gid: (996/sambashare) ~$ getfacl /mnt/pool/Share/Backup/Test.txt # file: mnt/pool/Share/Backup/Test.txt # owner: haegarthehorrible # group: sambashare user::rw- user:haegarthehorrible:rw- group::rw- group:sambashare:rw- group:sambashareAdmin:rw- mask::rwx other::---