Geez, what a can of worms samba/winbind + windows server 2000/2003 _STILL_
is today : :

Release Notes for Samba 3.0.20a
Sept 30, 2005

Recent security updates for Windows 2000 and Windows 2003 have changed
the fashion in which user and group lists can be obtained from domain
controllers. In short, the RPC mechanisms used by "security = domain" to
retrieve users and groups is not compatible with these changes. The
"security = ads" configuration is not affected by the Windows protocol

Samba developers are actively working to correct this problem in
the 3.0.21 release. In the meantime, Administrators who are unable
to migrate to "security = ads" and must continue using "security =
domain", can define credentials to be used by winbindd for account
enumeration by executing the following command as root.

wbinfo --set-auth-user='DOMAIN\username%password'

So my idea : only use samba domain controllers and make sure winbindd runs
rocksolid on these..... yeah! but... where's the docs on_THAT_ ???

Besides _ALL_ the docs on winbind i could find speak about a Winblows
domain controller as the NTLM server.

Hmm what about this :

"TUTORIAL with Gerald (Jerry) Carter: Winbind - Inside and Out"

"How to configure Winbind on a Samba domain controller to handle users and
groups from trusted domains. "

Well thats exactly what i need to figure out, But huh? Is this an
announcement for a tutorial session, which you needto pay for admittance ?
So where do we download the docs from that tutorial??

Why i need winbindd on a Samba PDC ? well there's this brilliant program
called squid, wich has this 177+ Kbytes config file, which needs a
working winbindd to be able to use /usr/bin/ntlm_auth. So anyone who has
this working?

Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist