[Samba] Trust, users, groups, scripts, etc. questions.

[Carl J. Hilinski]

I have some things I'd like someone brighter than me to explain. 
 
#1. Add xxxx scripts. Everyone seems to put these scripts in their
smb.conf. The add user and add machine make sense, and they work, but
explain to me how the other scripts, such as add user to group, are
supposed to work? When do they get called, etc.? I guess most of these
involve the smbldap tools.
 
#2. Here's my situation. I have an NT PDC in the domain TIMES. I have a
SAMBA 3.0 PDC (on RH9) in the domain FAIRFAX. LDAP is set up. The
domains trust each other. A windowsXP pro user logs into TIMES, browses
the network and opens the FAIRFAX domain PDC. As soon as the FAIRFAX
domain is touched, a user (and probably machine, but I haven't tested
this fully) account is set up in LDAP for that user. Obviously the
adduser and addmachine scripts work. I'm going to assume this is the way
this is supposed to work, right? 
 
#2a. The user from #2 has an account in LDAP formed when he/she touched
the FAIRFAX domain. There is no password.in GQ, the sambaLMpassword and
sambaNTpassword show as XXX. The user password in GQ shows up as
{crypt}x and the encryption is set to crypt. Is this the expected
behavior? Obviously a password is not needed because the user is granted
access via the trust relationship. 
 
#2b. It appears that if you have two trusted domains and you have joined
one of them, you do not need to join the other to log into it. Is that
correct? Once I join the TIMES domain, the winxp pro logon screen allows
me to pick both the TIMES and the FAIRFAX domain. I can then log into
the FAIRFAX domain if I have a username and password there. Is this the
designed behavior?
 
#2c. Groups. This is something that just doesn't click with me. I have a
group called pagination on the FAIRFAX domain. I have a group called
pagination on the TIMES domain. I did the net groupmap add rid=1000
ntgroup=pagination unixgroup=pagination. If I log into the TIMES domain
and I am a member of the pagination group, should I have access to all
of pagination's shares on the SAMBA FAIRFAX domain? In GQ, shouldn't I
see my sambaPrimaryGroupSID as 1000? Should the primary group be passed
over and handled by the addxxx scripts?