samba, AD, авторизация[частично решено]

Доброго времени суток
после долгих мучений ввел я машину в домен
билеты кербероса получил
пользователей и группы видит
wbinfo -u
PMI+администратор
PMI+гость
...

через fusesmb можно было видеть другие машины: fusesmb /mnt/net/ -o allow_root
потом отредактировал как тут: http://www.opennet.ru/base/net/samba3_inc_domain.txt.html
ls -lsh /etc/pam.d/|grep 23
4.0K -rw-r--r-- 1 root root 809 Дек 23 12:43 gdm
4.0K -rw-r--r-- 1 root root 397 Дек 23 12:39 samba
4.0K -rw-r--r-- 1 root root 705 Дек 23 12:39 system-auth-winbind

getent group
стала выводить и группы с домена

но теперь /mnt/net/ пустая (fusesmb /mnt/net/ -o allow_root)

samba и system-auth-winbind вернул в исходный вид, не помогло

вот и собственно проблема:
авторизироваться не хочет

wbinfo -a kuzmin%SECRET
plaintext password authentication failed
error code was NT_STATUS_LOGON_FAILURE (0xc000006d)
error messsage was: Logon failure
Could not authenticate user kuzmin%SECRET with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_LOGON_FAILURE (0xc000006d)
error messsage was: Logon failure
Could not authenticate user kuzmin with challenge/response

wbinfo -K kuzmin%SECRET
plaintext kerberos password authentication for [kuzmin%SECRET] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

id kuzmin
uid=10000(PMI+kuzmin) gid=10000(PMI+пользователи домена) группы=10000(PMI+пользователи домена),10006(PMI+администраторы домена),10011(PMI+группа с запрещением репликации паролей rodc),10018(fuse),10019(BUILTIN+users)

su kuzmin
PMI+kuzmin@pmi6 /root/Desktop $ id
uid=10000(PMI+kuzmin) gid=10000(PMI+пользователи домена) группы=10000(PMI+пользователи домена),10006(PMI+администраторы домена),10011(PMI+группа с запрещением репликации паролей rodc),10018(fuse),10019(BUILTIN+users)

пользовался:
http://www.opennet.ru/base/net/samba3_inc_domain.txt.html
http://www.opennet.ru/base/net/pdc_auth.txt.html
http://gentoo.blog.ru/77378147.html
и еще что то

Сервер: pmiserver
win2008 server

потом буду править /etc/pam.d/gdm

cat /etc/samba/smb.conf
[global]

auth methods = winbind
workgroup = pmi.ustu
netbios name = pmi6
server string = Gentoo Linux on PMI6
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
interfaces = lo eth0
bind interfaces only = yes
hosts allow = 192.168.0.0/255.255.255.0
hosts deny = 0.0.0.0/0
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = pmi.ustu
password server = pmiserver
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/pmi.ustu/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8

cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
# ticket_lifetime = 24000
# clock_skew = 300
default_realm = PMI.USTU.
# kdc_timesync = 1
# ccache_type = 4
# forwardable = true
# proxiable = true

[realms]
PMI.USTU = {
admin_server = PMISERVER.PMI.USTU
default_domain = pmi.ustu.
kdc = pmiserver.pmi.ustu
}

[domain_realm]
.pmi.ustu = PMI.USTU.
pmi.ustu. = PMI.USTU.

tail /var/log/samba/log.winbindd
[2009/12/23 14:19:30, 0] lib/util_sock.c:write_data(564)
write_data: write failure. Error = Соединение сброшено другой стороной
[2009/12/23 14:19:30, 0] libsmb/clientgen.c:write_socket(158)
write_socket: Error writing 104 bytes to socket 17: ERRNO = Соединение сброшено другой стороной
[2009/12/23 14:19:30, 0] libsmb/clientgen.c:cli_send_smb(188)
Error writing 104 bytes to client. -1 (Соединение сброшено другой стороной)
[2009/12/23 14:19:30, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223)
cli_rpc_pipe_open: cli_nt_create failed on pipe \lsarpc to machine pmiserver.pmi.ustu. Error was Write error: Соединение сброшено другой стороной
[2009/12/23 14:19:47, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains

cat /etc/pam.d/samba
#%PAM-1.0
# * pam_smbpass.so authenticates against the smbpasswd file
# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility
# (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only
auth required pam_smbpass.so nodelay
account include system-auth
session include system-auth
password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

cat /etc/pam.d/system-auth-winbind
#%PAM-1.0
# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/config/system-auth-winbind,v 1.2 2008/03/10 08:15:41 dev-zero Exp $

auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account sufficient pam_winbind.so
account required pam_unix.so

password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so

Спасибо