samba - May 2006 - Preventing non-domain user from accessing domain resources

Hi,

I've just built a Samba PDC on SuSE 10.0 OSS (the open source version)
with openldap as the backend passwd wrapped in the same machine.
Everything (almost) works fine: windows users (win98/Me or winXP Pro) can
authenticate against the PDC+LDAP server or change their password - thanx
to Samba. But something just doesn't right. Users that login into their
computers using their local accounts (2 rows authentication mode without
the domain text box) with the same login names and passwords reside in the
LDAP server may still access another computer that had already joinned the
domain. If bad guys (with winXP Pro) try to connect to the domain
computers then the domain computers will happily provide them with an
authentication welcome message. Just type the login name and password -
voila, you're in! Is that weird or is that just how things work within a
domain? I thought non-domain computers will be kept out off the domain? Is
that an IPsec or group-policy matters as in the windows environment? I am
trully a newbie about those two subjects. That's the 1st problem.

I've also built another file server (redhat 9, samba has been reinstalled
using samba3, different workgroup from the PDC but samba share directory
is accessible for the domain users, the passwd backend is the LDAP
server). But I can only login locally - even as root - into the samba file
server when the LDAP server is running and the samba file server is
connected to the network! Why can't I log in against the local passwd? Any
idea or can somebody point me to the thread related with those two
problems? I've lost months trying to fix them. Thank you.