[Samba] Machine trust account confusion

[JB]

I have looked for an answer to this in many locations, but I am still 
confused about the use of machine trust accounts. It was my 
understanding, backed by a samba book, that in order for someone in a 
domain to access a resource, they must have a valid account on the 
domain AND be using a machine that has a trust account setup on the 
samba PDC. However, my experience and another samba book say that they 
only need a valid user account to use the resources.

The result is that I have a samba PDC setup with a single workstation 
that authenticates users off the PDC and everyone has proper access. 
However, I can place a laptop on the network with no trust account, and 
using since I log onto it with the same username and password, I can 
browse the domain resources as if I had authenticated off of the PDC.

I am hoping someone can explain this to me, I want to deploy a samba PDC 
in a larger environment, but I do not want a user to be able to see 
private resources just by knowing someone's username and pass, I want 
them to have to come from a trusted machine also.

Here is my smb.conf


[global]
netbios name = HERAKLES
workgroup = STS
server string = Samba Server %v

security = user
encrypt passwords = yes
username map = /etc/samba/smbusers
smb passwd file = /etc/samba/private/smbpasswd
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

local master = yes
os level = 65
preferred master = yes
domain master = yes
domain logons = yes
logon script = logon.bat
time server = yes
wins support = yes

interfaces = eth1
hosts allow = 192.168.10.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
log level = 3
log file = /var/log/samba/log.%m

[netlogon]
         path = /export/samba/netlogon
         writable = no
         browsable = no

[Shared Business Docs]
         copy = template
         path = /export/samba/shareddocs
         comment = Shared Business Documents
         writable = yes


Regards,
-John
jbarton at technicalworks.net