samba - Sep 2007 - Samba (winbind) integration into an Active Directory domain

Hello,

I have an existing Active Directory domain with a couple hundred
users.  I am trying to setup our Linux (Gentoo specifically) servers
to allow "seamless" login integration at the console, via ssh and
possibly using smbmount.

I think I've got it pretty close, but seem to be missing something.
When my test user logs in, a home directory is created for them, the
console throws up the last login information, and then immediately
logs them back out.

I've searched the log files (messages, log.smbd/nmbd/winbind) but
don't see anything blatently obvious.  I followed the Samba docs, and
have since tried variations that are abundant around the web.

Technical bits:
I'm authenticating via kerberos using winbind against an Active
Directory implementation on top of a Windows 2003-r2 server.
I'm running a fresh up-to-date (as of today) install of gentoo (not
~x86, just x86) 2.6.22-r5, samba 3.0.24-r3, pam 0.78-r5

My
smb.conf is:

[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
security = ADS
password server = MYACTIVEDIRECTORYSERVER.MYDOMAIN.COM
log level = 2
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

I tried changing the separator to \ to give the "feel" of Windows, but
samba didn't like it, and assumed I had no character there, so I
switched it to the often used example of +.  Other than that, I can't
see anything obviously wrong.  I can post up my nsswitch.conf and my
pam.d/login - pam.d/system-auth files if anyone thinks it's a problem
in one of those.



Thanks!

-Chad