ACLs by remote NT server *group*??

[Chris Shenton]

We've got a document repository on a Samba system, v 1.9.17alpha3,
Solaris 2.5.1. Or clients authenticate to an NT domain so we do auth
on Samba using the construct:

	security                = server
        password server         = HQBDC1
        
What we'd like to do is allow one of our departments to get access to
the docs but prevent all the other departments. I'd like to use the NT
*group* in which the users belong to do access control but I can't
figure a way to tell Samba to do this.  I really don't want to have to
clone a password file in UNIX or enumerate usernames because they
change so often -- I'd rather let the NT server boyz worry about that
stuff. :-)

Is there a way to do ACLs based on NT groups?

Or perhaps I'm so clueless on NT domains and NT-style authentication
to understand whether this is doable. But let me know one way or the
other. 

Thanks.

(I just pulled down 1.9.18alpha11 and am looking into DOMAIN.txt,
 NTDOMAIN.txt, etc, but my NT domain ignorance is preventing me from
 understanding all of it; pointers to good books welcome; I've already
 read the FAQs and docs on samba.anu.edu.au...)