[global]
   workgroup = DOMAIN
   realm = DOMAIN.NET
   server string = %h server (Samba, AIX.  No, really.)
   interfaces = 127.0.0.0/8 en1
   bind interfaces only = yes
   log file = /opt/samba/var/log/log.%m
   max log size = 1000
   syslog = 0
   security = ads
   encrypt passwords = true
   obey pam restrictions = no
   map to guest = bad user
   domain master = no
   local master = no
   preferred master = no
; i've also tried this, which was working in 3.5.x
;   idmap backend = hash
;   idmap uid = 1000-4000000000
;   idmap gid = 1000-4000000000
   idmap config DOMAIN: default = yes
   idmap config DOMAIN: backend = tdb
   idmap config DOMAIN: range = 2000-4000000000
   template shell = /usr/bin/ksh
   winbind use default domain = yes
   winbind separator = \\
   winbind enum groups = no
   winbind enum users = no
   winbind nss info = template
   winbind normalize names = No
   winbind offline logon = Yes
   # Don't do member listing on groups
   winbind nested groups = no
   winbind expand groups = 0
   kerberos method = system keytab
   password server = *
   auth methods = winbind