It would be good to have anonymous bind ability to a ldapsam backend. At first hear, it would sound crazy, but if you use ldapi:/// (LDAP over domain sockets) URL to the LDAP server (where the LDAP server and the Samba PDC is on the same machine - a common setup, I think), there's no need for authentication, since the permissions controlled by the normal UNIX access control mechanisms. So I think when the "ldap admin dn" option is missing, Samba should try an anonymous bind.
descent idea but a little dangerous due to how Samba implemented the ldapsam passdb backend. Marking for later if possible.
*** Bug 1041 has been marked as a duplicate of this bug. ***