[Samba] security questions

[need2know]

I'm new to Samba and bringing 3.0.10 up.  The current
question is how to nail down security to give the
department free access to our resources and keep
everyone else out.

The network has UNIX, Linux, and Windows compute
servers, some specialized file servers, clients
mostly running Windows and/or Linux, a few Sun
workstations, and several printers.  The users
belong to two or three different domains and will
be logging in from any of several different subnets
that are shared with other departments.  Some of
the clients have dynamically assigned IP addresses.

The boss wants it nailed down so that only members
of the department can get to our resources.  The
"hosts allow" option includes all the subnets where
the department has a presence, but that doesn't
exclude the other organizations that share those
subnets.

The "valid users" option looks helpful.  Can Samba
use netgroups even if none of the UNIX systems it
serves are running NIS or NIS+?  If not, is there
an upper bound on the number of characters or
entries in the value of the "valid users" option?
If all the users have to be specified individually,
it's going to be a looooong list.

Thanks!