[Samba] Grant only one AD group to samba share ?

[Newman, John W]

All,

On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working)
sanity check of winbind (sample output):
$ wbinfo -g
MYDOMAIN\domain admins
MYDOMAIN\domain users
MYDOMAIN\my group
MYDOMAIN\my group2
Looks good. I need to grant all users in "my group" access to the share, all others shouldn't even see it.

[share]
  comment = Testing
  path = /media/share
  guest ok = no
  read only = yes
  valid users = @"MYDOMAIN\My Group"
  browseable = no
  locking = no
If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with "invalid user name or bad password", vs valid credentials says "access denied". So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not.

The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in the config file -- is that part of the problem maybe?
  valid users = @"MYDOMAIN\My Group"
  valid users = "@MYDOMAIN\My Group"
  valid users = "MYDOMAIN\My Group"
etc
nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works.   What's the right syntax for valid users= "My Domain\My Group"?    Any thoughts?
Thanks,
John