samba - Sep 2009 - Unix Kerberos authentication - how?

Hi,

I managed to set up a Samba server that accepts Kerberos 5 TGTs via
SPNEGO/GSSAPI for login. However, when I don't have a TGT it fails for
Unix clients. It asks for username/password for Windows clients and then
fails trying to do NTLMv2 authentication.

How can I set up a Samba server that asks for username/password and
then uses a Unix Kerberos KDC (Heimdal v. 1.2 in my case) for 
authentication?

Many thanks,
                     Alf.

-----------------------------------------------------------------------
   Alf Wachsmann                       | e-mail: alfw at slac.stanford.edu
   SLAC - Scientific Computing         | Phone:  +1-650-926-4802
   2575 Sand Hill Road, M/S 97         | FAX:    +1-650-926-3329
   Menlo Park, CA 94025, USA           | Office: Bldg. 50/323
-----------------------------------------------------------------------
                 http://www.slac.stanford.edu/~alfw (PGP)
-----------------------------------------------------------------------

Hi all

I've a SAMBA 3.0.33 server running  on Solaris 10 sparc.

The server is joined  to a Windows ADS.

I'm getting the following error when trying to access the share as an AD
user from a windows machine.

[2009/09/29 10:48:05, 2] smbd/service.c:(616)
  user 'FIRSTGROUP\admandymarr' (from session setup) not permitted to
access thi
s share (lsww)
[2009/09/29 10:48:05, 3] smbd/error.c:(106)
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
)

I setup a temp share with an empty valid users list , but I get the same
issue.

I'm not sure if the user should have the domain\user when trying to
access the share ? 

I'm so close :-)

Any pointers would be great ?

Smb.conf 
[global]
        workgroup = FIRSTGROUP
        netbios name = FGUKSHPPAY001
        realm = FIRSTGROUP.COM
        preferred master = no
        server string =  DR Samba Server
        security = ADS
        encrypt passwords = yes
        allow trusted domains = yes
        log level = 5
        log file = /var/samba/log/log.%m
        max log size = 250
        printcap name = /dev/null
        load printers = no
        idmap uid = 62000-73000
        idmap gid = 6200-7300
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /export/home/%U
        template shell = /bin/bash
        password server = fgukcbpadc001.firstgroup.com

#============================ Share Definitions
=============================
[temp]
   comment = lsww
   path = /tmp
   valid users    public = yes
   browseable = yes
   read only = yes


[lsww]
   comment = lsww
   path = /mirror/livesww/list
   valid users = admandymarr
   public = yes
   browseable = yes
   read only = yes