you did not restrict the access to the group “Tradecom-Office” in the Samba settings. On the other hand you did tell Samba to treat all valid accesses as coming from the group “Tradecom-Office”.
So what actually happens when a user who’s not a member of that group accesses the share is:
- Samba verifies the user’s login credentials (user name & password or Kerberos token).
- Samba checks if its
valid users option is set. If so, it verifies that the user is either listed in
valid users directly or if (s)he is a member of a group listed in
valid users. In your case nothing’s set in
valid users (the corresponding German option is “Gültige Benutzer oder Gruppen”). Therefore the access is allowed to continue.
- Next Samba looks at the
force group setting (in German: “Erzwungene Gruppe”). If it is set, then that group name will be used when accessing the file system. In your case it is set, therefore “Tradecom-Office” will be the group used to access to files.
- Now Samba will access the file system. The Linux kernel sees an access by some user and the group “Tradecom-Office” (due to step 3) and verify that access against the file permissions and ACLs. As the permissions and ACLs state that the group “Tradecom-Office” has read & write access, the access is allowed.
What you probably want is to set
valid users to
@Tradecom-Office in order to restrict access to the share to members of that group. See
man smb.conf for details.
BTW: None of this has anything to do with NFS. It applies to any type of shared directory, no matter what the underlying storage is.