Assuming, that You configured the SMB shares to be provided by the 'vfs_ceph' plugin, access will only be granted to members of a user group, that have set this user group as their primary group in AD. Due to a bug in the 'vfs_ceph' plugin, memberships in supplementary groups (all groups except the primary group) are not considered. By default the AD group 'Domain Users' is set as the primary group of an AD user account. Therefore the built-in group 'Domain Users' works, which will by default grant access to most if not all AD users.

Setting the primary group of those affected to specific user groups allows access control for the folders of the share.

Alternatively, the Ceph filesystem can be mounted into the filesystem of the Samba Server and be shared as a file system path. This way the access to the folders of the share should work as expected.