Samba is disgusting. We have samba servers that authenticate users using Winbind against our domain. Today I spent the entire day trying to create a new share on one of the servers so that is accessible by only one specific group on the domain. I could not for the life of me make it work. I eventually concluded that the winbind database is corrupt on this particular server because after hours of failed attempts to make it work, I thought to query the winbind service. It was returning nonsensical SIDs for some objects and showing duplicate records (same group with two SIDs somehow.) I don't want to mess with fixing winbind, so I have just declared that it is not possible for the users to have this share.