samba - Mar 2005 - Samba authentication fails unless unix account exists

I've set up Samba 3.0.9 with ADS support and open LDAP 2.2.23 on freeBSD 
5.3.  I've got all the essential services working as far as i can tell.  
Nmbd, smbd, and winbindd are running.  I've created a machine account in 
the domain with the net ads join command.  Wbinfo -u returns a list of 
my AD domain users in the DOMAIN\username format Wbinfo -g returns my 
groups in the same format.  Changes to users and groups in AD all seem 
to propagate almost immediately.  My shares can be accessed with the 
appropriate permissions using my account. 

My problem is that users cannot authenticate to Samba unless an account 
with the same name (but not necessarily the same password) exists in the 
unix passwd file.  If i make an account that matches the AD domain 
account on the BSD box (even if it has a different password) then that 
user can authenticate via samba but if no unix account exists the user 
cannot authenticate.


For example, a
/wbinfo -a FULLY.QUALIFIED.DOMAIN//username%password/

returns
/
plaintext password authentication succeeded
challenge/response password authentication succeeded/

but a
/smbclient -L localhost -Uusername/

returns
/read_socket_with_timeout: timeout read. read error = Connection reset 
by peer.
session setup failed: Read error: Connection reset by peer/

any suggestions?