security=share We have a service with "valid user = toto" It is possible to access to this service with a user name toto_titi and the password of toto, even if the unix and samba count "toto_titi" do not exist. Only "toto" count exist. It seems that the user control by samba is only on what is before the underscore. Excuse-me for my english. Regards
security = share and valid users doesn't make sense. one is a password based authentication and one is a user based authorization check.