Do you have a system-auth-winbind in your pam.d directory? If not create one and add the following entries in it:
Code:
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so
account required pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
In you smb.conf make sure that you have
Code:
obey pam restrictions = Yes
This is what we use on our samba+ldap domain and previously on the nt4 domain. I can't guarantee it'll work on AD but it's worth a shot.