samba - Jul 2005 - winbind + pam authentication immediately closes session

I followed the basic pointers for setting up pam + winbind on a debian
based system ( http://www.ubuntuforums.org/showthread.php?t=5409 ) the
member server is joined to the domain and authentication appears to
work successfully, however when I attempt to login with a domain user
with the proper password to a method that requires a session
(ssh/su/xdm) or otherwise the session is immediately closed.

Relevant event history:

(testing winbind auth)
tjfontaine@server2:~$ wbinfo -a jay%uberSecretPass
plaintext password authentication succeeded
challenge/response password authentication succeeded

(su'ing to domain user)
tjfontaine@server2:~$ su - jay
Password:
tjfontaine@server2:~$
 
(auth.log on member server)
Jul 27 14:13:59 server2 su[7978]: + pts/0 tjfontaine:jay
Jul 27 14:13:59 server2 su[7978]: (pam_unix) session opened for user
jay by tjfontaine(uid=1000)
Jul 27 14:13:59 server2 su[7978]: (pam_unix) session closed for user jay
 
(member servers log on domain controller)
[2005/07/27 14:14:13, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [jay] -> [jay] ->
[jay] succeeded

Member server information:

Debian Unstable
samba 3.0.14a (-6 debian revision)
server2:~# uname -a
Linux server2 2.6.10-1-686-smp #1 SMP Fri Mar 11 01:49:45 EST 2005
i686 GNU/Linux

Member server config:

[global]
   workgroup = mydomain
   log level = 10
   server string = Terminal Server
   wins support = no
   wins server = 192.168.2.1
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = domain
   encrypt passwords = true
   passdb backend = tdbsam guest
   obey pam restrictions = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
   socket options = TCP_NODELAY
   domain master = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = Yes
   winbind separator = +
   password server = *

[homes]
   comment = Home Directories
   browseable = no
   writable = no
   create mask = 0700
   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Apologies for cluttering the list, of course it was user error it just
took a bit more tracking down. There are some descrepancies between
http://www.ubuntuforums.org/showthread.php?t=5409 and
https://wiki.ubuntu.com/ActiveDirectoryWinbindHowto for what
common-(auth | account | session) should contain, the wiki information
works for me on pure debian. Again sorry for the list clutter.