According to the smb.conf man page, the service parameter, "Only User = No", when in Share level security, should make the service not be restricted by the User = parameter. Instead, what should happen in share level security is the following: all users accounts in the password databases should be matched against the password supplied by the client. What I'm seeing is the service authentication being controller by the user = parameter no matter what is specified for Only User =. Moreover, once this is fixed :), I think the default on shares should be Only User = Yes.
reseting target milestone. 3.0.1 has been frozen. WIll have to re-evaluate these.
i'm marking this parameter as deprecated in 3.0 to be removed.
originally reported against 3.0alpha23. Bugzilla spring cleaning.