I need to allow [read] access to a Samba server using both IP
filtering & UserIDs .

For a given list of IP subnets, any user should have access.
Outside these 'trusted' subnets, I need to do User authentication.

I can handle the User authentication OK in several ways.
However, I don't see any way to do the 'short circuit' allow for some
IPs, then use User authentication after that.
If I do a 'deny', in the InetD or in Samba, then the 'untrusted'
subnets are denied, & not allowed to try logging-in .

Any ideas?

I originally thought that PAM would give me this functionality, but
now I don't see it.
Is PAM at all popular for Samba 'authentication' ?