[Samba] Windbind requirements and settings

[Matt]

I posted this to comp.protocols.smb, but I'll give it a shot here too...

Background :
We have an existing Win2k domain, 2 Win2k domain controllers, all 
working just fine.  I've been using Samba 2.2.x for quite a while to 
provide access to specific folders on *nix machines using Domain 
security...So I'm reasonably familiar with how file/print sharing works.
But what I'm interested in now is providing shell access to *nix 
machines, without having to manually create accounts on each box. 
Therefore, windbind....

1st, if using windbind, and all I want to do is not have to manually 
create users on the *nix box, do I need to configure ldap in "client" 
mode on the *nix box ?  Or does windbind take care of looking up the 
user/password info without needing ldap info ?
I guess what I mean is, do I need to worry about ldap ( or kerberos for 
that matter ) ?  We're not currently using it for any of our *nix 
machines...

2nd, is it possible to have *only* users in a specified AD group be 
granted shell access, and therefore be authenticated ?  IE, I don't want 
*all* valid users in our domain to be granted access, I want to be able 
to say that only users in AD group X can loin via the shell on the 
specific *nix box...
If this is possible, does this require ldap configuration on the *nix side ?

Finally, does using windbind require that the application/daemon 
support, or be compiled to support PAM ?  Some of our machines are AIX, 
and PAM support isn't standard until 5.2, and has only recently been 
back-ported to 5.1...We have 5.1, but also 4.3.3.
Or is there a good source of information on AIX's LAM and how it may 
work ( if at all ) with Samba/windbind ?

I've read, and re-read all the information I've been able to find on 
windbind, and am still a bit unclear on these things.

Thanks for any info or pointers...

-- 
- Matt -