samba - Nov 2003 - Winbind, Pam, And Active Directory

My smb.conf and nsswitch.conf and /etc/pam.d/samba and login are below. Pam
and winbind are configured. Are my config's correct? I have about 40
workstations using redhat 9. Im using Samba 3.0.0 and I am trying to use a
Windows 2003 Active Directory server for authentication. Using LDAP for
auth.

I can see the users and groups and If i login with the local account root,
open a terminal window and say su <domain+user> it will bring me to a new
shell. Because i am root it won't ask me for a password. If i login with
another local machine account and say su <domain+user> it will prompt for
a
password and wont accept anything i give it. When redhat 9 boots I try to
login with <domain+user> and it wont accept anything other than the local
machine accounts.

I issue this command net rpc join -S <MYPDCDOMAINNAME> -U
<MYADMINACCT>

I get joined the domain <MYDOMAIN>

winbindd does start

I issue wbinfo -u and it shows all the users on the domain.
I issue wbinfo -g and it shows all the groups on the domain
I issue getent passwd and it shows all the users in UNIX format

I start smb daemons in this order
smbd
nmbd
winbindd


<<SMB.CONF>>

[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
workgroup = <mydomain>
security = domain
password server = <MY PRIMARY DOMAIN CONTOLLER SERVER> **There is an LDAP
server but if I put that here I cant list users**


<<NSSWITCH.CONF>>
passwd:     files winbind
shadow:     files
group:      files winbind

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus

<</etc/pam.d/samba>>
#%PAM-1.0
auth    required        /lib/security/pam_stack.so service=system-auth
account required        /lib/security/pam_stack.so service=system-auth

<</etc/pam.d/login>>
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_UNIX.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so