In my environment I need to support NFS clients (NFS is faster – good for streaming) and also SMB clients (Mac & Windows). The following notes are the results of my experimentation in using different methods for restricting access to the shares.
NFS shares depend upon user UIDs matching, and permissions only seem to work if POSIX permissions are used. If I apply ACLs to the share – even one named for my user – I lose access unless I include a very open Everyone@ ACL.
I am therefore restricted to using simple (POSIX) permissions, with me (the administrator of the environment) as owner and the share content owner as a group name. I then put the share content owner’s user in that group. Using this approach, there is no need to set a mapall or maproot for NFS shares – just enable the share and away we go. One side effect of this approach though is that I had to update Transmission’s default umask from 018 to 002, else files and folders it creates would be read-only for all users other than transmission itself.
SMB shares are then simply user-based – I do not apply anything in the Filesystem ACLs. As for the Share ACL that is to be experimented with – perhaps it controls whether the share is visible to end users at all?