It's my experience that most users want ACLs which interoperate with the native filesystem as well as NFSv3/v4--in other words, they want their permissions to be the same regardless of access protocol. In this respect I think Sun and Isilon did it right by integrating ACL/SID support directly into the kernel.
This fixes some minor interop. nits (group owners of files, for example) but also allows the Windows privilege model to be integrated as a first class citizen in the OS, and most importantly, allows for SIDs to be stored natively as the user's in-kernel credentials, which is a real boon for identity management/mapping across protocols, and for group policy (e.g. local groups). As a bonus, this allows any userspace CIFS processes to run without escalated privilege (e.g. switching to root for take ownership) which can be seen as a security risk.