If you are serving different users with one samba, users can see the other customers users when granting ACLs (rpc displayinfo queries).
Created attachment 5996 [details] This patch implements restricted userlistings in queryinfo RPC. Response contains only users in the querier's primary group. Modifications to implement restricted user listing. You can use restrictions only with LDAP backend. If ldap restrictions are switched on users can see users in thei primary groups and ther primary groups if they are trying to grant ACLs on windows. This is good for anybody who is serving different customers with one samba, and don't want them to see each others users.