samba - Sep 2014 - ActiveDirectory authentication failures with pam_winbind on SuSE 11

Hi,

Facing issue with the authenticating users against Windows 2008
ActiveDirectory. Joining/leaving domain and getting user and groups (id
<user>, getent group <group name>) works fine. But PAM
authentication
through pam_winbind fails with below error.

Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): getting password
(0x00000390)
Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): pam_get_item
returned a password
Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
NTSTATUS: NT_STATUS_ACCESS_DENIED, Error message was: Access denied
Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): internal module
error (retval = PAM_SYSTEM_ERR(4), user = 'user1')


Auto generated krb5.conf file:

[libdefaults]
default_realm = SAMPLE.NET
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
SAMPLE.NET = {
kdc = xx.xx.xx.xx
kdc = xx.xx.xx.xx
}

smb.conf file:

[global]
server signing = auto
lanman auth = no
workgroup = SAMPLE
server string = Test host
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
passdb backend = tdbsam
local master = no
load printers = no
map to guest = Bad User
follow symlinks = yes
wide links = yes
unix extensions = no
hide dot files = no
restrict anonymous = 1
idmap gid = 10000-20000
idmap uid = 10000-20000
winbind refresh tickets = yes
winbind use default domain = yes
strict sync = yes
winbind cache time = 5
client ldap sasl wrapping = sign
realm = SAMPLE.NET
template homedir = /home/users
template shell = /bin/bash
winbind enum groups = no
winbind enum users = no
winbind offline logon = yes


"id user1" and "kinit users1" works too. Only authentication
fails when
user trying to logon through sshd.

Has anyone came across similar issue?

Thanks,
-Kiran