Problem:

Share rights seem not to be applied. The user schueler.it should be allowed to access the share, but

Investigation:

root@ucs:~# smbclient //ucs.schein.me/test -U schueler.it -c ls
Password for [SCHEIN\schueler.it]:
tree connect failed: NT_STATUS_ACCESS_DENIED

cat /etc/samba/shares.conf.d/sun-Testy 
[sun-Testy]
path = /home/sun/groups/sun-Testy
msdfs root = no
writeable = yes
browseable = yes
public = no
dos filemode = no
hide unreadable = no
create mode = 0770
directory mode = 0770
force create mode = 0
force directory mode = 0
locking = 1
strict locking = Auto
oplocks = 1
level2 oplocks = 1
fake oplocks = 0
csc policy = manual
invalid users = schuelerin.it
force group = +sun-Testy
nt acl support = 1
inherit acls = 1
vfs objects = acl_xattr
inherit owner = yes
inherit permissions = yes
map acl inherit = yes

testparm -sv shows
[sun-Testy]
        create mask = 0770
        directory mask = 0770
        force group = +sun-Testy
        include = /etc/samba/shares.conf.d/pdfPrinterShare
        inherit acls = Yes
        inherit owner = windows and unix
        inherit permissions = Yes
        invalid users = schueler.it
        map acl inherit = Yes
        path = /home/sun/groups/sun-Testy
        read only = No
        vfs objects = acl_xattr

We have a service from a listener, which writes the config files in /etc/samba/local.config.d/
services/univention-samba/python/share_restrictions.py

Solution:

So the configuration in /etc/samba/shares.conf.d is right, but testparm shows a something different for the share. There are some shares (workgroups shares, Veyon, Opsi, Sysvol), which have a local.config in /etc/samba/local.config.d/
In this config

cat /etc/samba/local.config.d/sun-Testy.local.config.conf 
[sun-Testy]
hosts deny = 10.0.10.28
invalid users = schueler.it

Here is the wrong user still in the config