source: vendor/current/docs-xml/smbdotconf/security/validusers.xml

<samba:parameter name="valid users"
                 context="S"
                 type="cmdlist"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>
    This is a list of users that should be allowed to login to this service. Names starting with 
    '@', '+' and  '&amp;' are interpreted using the same rules as described in the 
    <parameter moreinfo="none">invalid users</parameter> parameter.
    </para>

    <para>
    If this is empty (the default) then any user can login. If a username is in both this list 
    and the <parameter moreinfo="none">invalid users</parameter> list then access is denied 
    for that user.
    </para>

    <para>
    The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. 
    This is useful in the [homes] section.
    </para>

    <para><emphasis>Note: </emphasis>When used in the [global] section this
    parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see
    <parameter moreinfo="none">local master</parameter>,
    <parameter moreinfo="none">os level</parameter>,
    <parameter moreinfo="none">domain master</parameter>,
    <parameter moreinfo="none">preferred master</parameter>) this option
    will prevent workstations from being able to browse the network.
    </para>

</description>

<related>invalid users</related>

<value type="default"><comment>No valid users list (anyone can login) </comment></value>
<value type="example">greg, @pcusers</value>
</samba:parameter>