samba - Aug 2008 - BDC returning wrong Domain Group membership ?

Hi all,

I have just noticed the following situation:

Our NT4-style domain users are often (not always) seen by Windows XP as 
members of

Domain Users and
Domain Guests and
Domain Admins and
Domain Computers

although they are definitely only members of "Domain Users". This
gives
us a security problem as "Domain Admins" become local Administrators. 
They are no real "Domain Admins", i.e. there is no problem for the 
domain functions.

Our environment is:
Samba 3.0.24 PDC (Suse Linux 10.0) [cannot upgrade at the moment}
Samba 3.2.1  BDC (Suse Linux 10.3)
Win XP Pro SP3 clients
Database on PDC and BDC is OpenLDAP (replication on BDC).

I could track this down to the following: If I turn off Samba on the 
BDC, everything (after logoff/logon) is ok.  Analyses with "Wireshark"
and "Process Monitor" show that only if a client retrieves information
from the BDC, things go wrong.

N.B. The same problem existed when the BDC was at Samba 3.026a.

Thanks in advance for ideas and help
Peter Rindfuss