samba - May 2003 - samba ldap and pam without -with-ldapsam option

Hello,
i have two questions about pam and ldap:
i want to set up a samba-ldap PDC. I first installed a samba compiled with
the --with-ldapsam option. I set up a directory with users and samba
attributes:
every thing works fine.
Now, i want to set up an equivalent architecture, but with the pam support.
in the man pages, i can read that i need
> obey pam restrictions = Yes
which implies the directive
> encrypt passwords = No
I also have
> security = user
> unix password sync = Yes
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
and my /etc/pam.d/samba contain
> #%PAM-1.0
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix_auth.so try_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
But i can't mount any volume, i can't join a windows client to the
domain...:
i always have a message error "session setup failed:
NT_STATUS_ACCESS_DENIED".

So, are my configuration lines correct ? Why can i found in lots of examples
configuration file the two lines
"obey pam restrictions = Yes" and "encrypt passwords = Yes"
?

Can the pam support retreive the value of the attributes defined in the
directory (logon script, logon path ...) or can samba and pam just act as the
authantication service ? If it can't, does the --with-ldapsam is the only
solution
to solve my problems ?
Tahnks a lot
--
J?r?me