Side effect of the Samba 3 LDAP implementation
Unless other "standard" applications that are using LDAP with LDAPBINd command to authenticate users, Samba went for specific implementation based on sambaLMPassword and sambaNTPassword (i.e. additional password hashes) in order to support direct Windows authentication. For what I understand, it means that if you have an LDAP server (here Zentyal) with existing users and decide later to implement Samba, if will not work for existing users unless you manually populate these new attributes.
But I might be wrong...
Edit: notice that implementation based on Unix which relies on PAM & NSS would not exhibit same (negative) side effect but will also offer something less "Windows domain" compliant. For workgroup this is however more than enough. Unfortunately, this is not direction taken by Samba team, neither by Zentyal team.