We mostly use Linux machines with a sprinkling of Windows. I’m aware you can use the Windows permissions to manage ACLs but since I only use Linux myself, it would be a pain to manage.
Interestingly, the Samba documentation actually includes this as a specific use-case in its documentation. It states:
The ownership of new files and directories is normally governed by effective uid of the connected user. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory.
Common scenarios where this behavior is useful is in implementing drop-boxes, where users can create and edit files but not delete them and ensuring that newly created files in a user’s roaming profile directory are actually owned by the user.
To me, having the server manage this itself is preferable over dicking around with Windows permissions (where mistakes can be made due to human error). This way, I only need to set the ACLs in FreeNAS then add the user to the appropriate group.
EDIT: Having worked on this issue for a few days now, I can’t conclude that it’s working as it should… it’s only kinda-sorta working.
The above works only for files/folders in the root of a dataset, but don’t inherit properly into subfolders or files. This obviously creates a huge problem because those with write (but not delete) permissions can still delete files via SMB, even with an explicit deny ACL set recursively. I’ve been having some luck by setting dataset share types to “Generic” instead of “SMB” and ACL mode to “Passthrough” (even when used with SMB shares/clients). I’ll report back tomorrow with my findings.