samba - Nov 2006 - FreeBSD 6.1 - winbind - ssh pam problem

Hello All:

I am trying to authenticate against an Active Directory using winbind in
my /etc/pam.d/sshd configuration (below).  If the user is in the local
password file, I can authenticate successfully using that user's Active
Directory credentials.  However, if the user is not in the local
password file, I get the following errors.

Nov  3 10:07:48 mailnat pam_winbind[29805]: request failed: Wrong
Password, PAM error was system error (4), NT error was
NT_STATUS_WRONG_PASSWORD
Nov  3 10:07:48 mailnat pam_winbind[29805]: internal module error
(retval = 4, user = `mksmithadmin')
Nov  3 10:07:48 mailnat sshd[29805]: in _openpam_check_error_code():
pam_sm_authenticate(): unexpected return value 4
Nov  3 10:07:48 mailnat sshd[29803]: error: PAM: error in service module
for illegal user mksmithadmin from 216.211.143.98

The password for the user is valid in the Active Directory, but the user
'mksmithadmin' is not in the local password file.  The user shows up
correctly when issuing a wbinfo -u.

Here are some relevent (I hope) configurations.  Any help would be
greatly appreciated.

Regards,

Mike

 
# /etc/pam.d/sshd

auth            sufficient
/usr/local/samba/lib/security/pam_winbind.so
auth            sufficient      pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn
allow_local
auth            sufficient      pam_unix.so             no_warn
try_first_pass
account         sufficient
/usr/local/samba/lib/security/pam_winbind.so
account         required        pam_unix.so
session         required        pam_permit.so
password        required        pam_unix.so      no_warn try_first_pass

# /etc/nsswitch.conf

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files

# smb.conf 
[global]

   workgroup = ADHOST
   server string = Samba Server
   security = ADS
   hosts allow = 10.142.0. 10.211.128. 127.
   load printers = no
   printing = bsd
   log file = /usr/local/samba/var/%m.log
   log level = 3
   max log size = 500
   password server = ad-pdc01
   realm = ADHOST.LAN
   passdb backend = tdbsam
   interfaces = <lots of addresses>
   local master = no
   domain master = no
   preferred master = no
   domain logons = no
   wins support = no
   dns proxy = no 
   idmap uid = 600-20000 
   idmap gid = 600-20000 
   template shell = /bin/tcsh
   template homedir = /home/%U
   winbind use default domain = Yes
   winbind separator = +
   winbind nested groups = Yes
   winbind enum users = Yes
   winbind enum groups = Yes
   syslog only = Yes
   ldap ssl = No
   encrypt passwords = Yes

# ./configure parameters

  $ ./configure CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib
--with-winbind --with-ads --with-ldap --with-msdfs
--enable-socket-wrapper --disable-cups --disable-iprint --with-pam
--with-pam_smbpass --with-exp-modules