PB with SAMBA3 on AIX4.3.3 and AD W2K3

[aixplorer]

Hello world,
I try to add samba 3 on AIX 4.3.3-ML11 to windows 2003 AD (DNS,WINS) but i can't connect with a windows AD user on AIX telnet console. rot su command to user work, but telnet ftp failed.

My installation:

#install bos.adt.*

#installp rpm.rte

#rpm -ivh --nodeps *.rpm
autoconf-2.53-1.aix4.3.noarch.rpm
automake-1.5-1.aix4.3.noarch.rpm
bash-2.05a-1.aix4.3.ppc.rpm
bison-1.34-2.aix4.3.ppc.rpm
db-3.3.11-3.aix4.3.ppc.rpm
flex-2.5.4a-6.aix4.3.ppc.rpm
gawk-3.1.0-2.aix4.3.ppc.rpm
gettext-0.10.39-2.aix4.3.ppc.rpm
glib-1.2.10-2.aix4.3.ppc.rpm
glib-devel-1.2.10-2.aix4.3.ppc.rpm
glib2-2.2.1-3.aix4.3.ppc.rpm
glib2-devel-2.2.1-3.aix4.3.ppc.rpm
gzip-1.2.4a-7.aix4.3.ppc.rpm
libtool-1.4.2-1.aix4.3.ppc.rpm
m4-1.4-14.aix4.3.ppc.rpm
make-3.79.1-3.aix4.3.ppc.rpm
pkgconfig-0.15.0-1.aix4.3.ppc.rpm
rpm-3.0.5-30.aix4.3.ppc.rpm
sed-3.02-8.aix4.3.ppc.rpm
tar-1.13-4.aix4.3.ppc.rpm

#Install binutils.2.9.1

#Install gcc.3.3.4

#Update PATH and LD_LIBRARY_PATH
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/samba/bin:/usr/local/samba/sbin:/usr/local/rs6000-ibm-aix4.2/bin:/usr/linux/bin
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/lib:/usr/local/rs6000-ibm-aix4.2/lib

KERBEROS krb5-1.3.5
#./configure --enable-dns --enable-dns-for-kdc --enable-dns-for-realm --disable-thread-support ac_cv_func_setutent=no
make
make install

OPENLDAP openldap-2.2.18
#./configure --disable-slurpd --disable-bdb --disable-slapd --without-threads
make depend
make
make install

SAMBA samba-3.0.23d
#./configure --with-winbind --with-ldap --with-ads --with-krb5=/usr/local
make
make install

--------------------------------------------------------------------------------

/etc/resolv.conf

domain psl.local
nameserver 10.98.176.181

#nslookup
Default Server: psl2k3
Address: 10.98.176.181

> 10.98.176.181
Server: psl2k3
Address: 10.98.176.181

> b50
Server: psl2k3
Address: 10.98.176.181

Name: b50.psl.local
Address: 10.98.176.156

--------------------------------------------------------------------------------

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
default_realm = PSL.LOCAL
ticket_lifetime = 24000
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
PSL.LOCAL = {
kdc = PSL2K3
admin_server = PSL2K3
}

[domain_realm]
.psl.local= PSL.LOCAL
psl.local = PSL.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

--------------------------------------------------------------------------------

/usr/local/samba/lib/smb.conf

[global]
workgroup = PSL
netbios name = B50
server string = AIX-4.3.3
security = ADS
realm = PSL.LOCAL
password server = PSL2K3
wins server = PSL2K3
client use spnego = yes
client signing = yes
encrypt passwords = yes
show add printer wizard = No
winbind use default domain = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
use sendfile = Yes
ldap suffix = "dc=PSL,dc=LOCAL"
winbind cache time = 0
log level = 8
log file = /var/log/samba.log
max log size = 5000000
debug timestamp = yes
browseable = yes
obey pam restrictions = yes
auth methods = winbind

[homes]
comment = User Home
path = /home/%U
force group = %U
read only = No
browseable = yes

[tmp]
comment = tmp
path = /tmp
read only = No
browseable = yes
public = yes

--------------------------------------------------------------------------------

#kinit administrator
Password for administrator@PSL.LOCAL:
b50.psl.local / #klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@PSL.LOCAL

Valid starting Expires Service principal
12/29/06 10:20:53 12/29/06 20:20:57 krbtgt/PSL.LOCAL@PSL.LOCAL
renew until 12/30/06 10:20:53


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

--------------------------------------------------------------------------------

#net ads join -U administrator
administrator's password:
Using short domain name -- PSL
Joined 'B50' to realm 'PSL.LOCAL'

--------------------------------------------------------------------------------

/usr/local/etc/openldap/ldap.conf

HOST 10.98.176.181
BASE cn=Users,dc=PSL,dc=LOCAL
binddn cn=ldapuser,cn=Users, dc=PSL,dc=LOCAL
bindpw $Azert*
scope sub
ssl no

--------------------------------------------------------------------------------

#cp /path/to/samba-source/nsswitch/WINBIND /usr/lib/security

--------------------------------------------------------------------------------

/usr/security/method.cfg

WINBIND:
program = /usr/lib/security/WINBIND
options = authonly

--------------------------------------------------------------------------------

/etc/security/user

default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 =
tpath = nosak
umask = 022
expires = 0
SYSTEM = "WINDBIND"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 0
histsize = 0
minage = 0
maxage = 0
maxexpired = -1
minalpha = 0
minother = 0
minlen = 0
mindiff = 0
maxrepeats = 8
dictionlist =
pwdchecks =

--------------------------------------------------------------------------------

Start SAMBA services

/usr/local/samba/sbin/smbd -D
/usr/local/samba/sbin/nmbd -D
/usr/local/samba/sbin/winbindd

--------------------------------------------------------------------------------

#wbinfo -u
administrator
guest
krbtgt
aa
ldapuser

#wbinfo -g
BUILTIN\administrators
BUILTIN\users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy

#wbinfo -i aa
aa:*:15012:15000:aa:/home/aa:/bin/bash

#wbinfo -a aa%passw0rd
plaintext password authentication succeeded
challenge/response password authentication succeeded

#mkdir /home/aa ; chown 15012:15000 /home/aa ; ls -l /home/aa
drwxr-xr-x 2 aa domain u 512 Dec 29 12:01 aa

#ls -l /bin/bash
lrwxrwxrwx 1 root system 27 Dec 18 15:33 /bin/bash -> ../../opt/freeware/bin/bash

#lsuser aa
aa id=15012 pgrp=domain users groups=15000,15003 home=/home/aa shell=/bin/bash gecos=aa login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2= umask=22 registry=WINBIND SYSTEM=WINDBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

#su - aa <---- by root
bash-2.05a$ id
uid=15012(aa) gid=15000(domain users)

--------------------------------------------------------------------------------

su commande by user aa or telnet connection failed by telnet with user aa
login: aa
aa's Password:
3004-007 You entered an invalid login name or password.

#syslog.out
Dec 29 12:05:16 b50 su: BAD SU from aa to aa at /dev/pts/0
Dec 29 12:06:52 b50 syslog: pts/1: failed login attempt for aa from b50

If there is some little light on the black unix univers for help me to understand this problem.
thank's.