First off I wasn't sure who to report this bug to - it might be the freebsd dev teams responsibility..
wbinfo -u shows AD users, however pw user show -a only shows local users (same with group lists)
/var/log/messages is filled with
May 16 14:35:19 fileserver winbindd: [2008/05/16 14:35:19, 0] nsswitch/idmap.c:idmap_alloc_init(750)
May 16 14:35:19 fileserver winbindd: ERROR: Initialization failed for alloc backend, deferred!
]# cat /etc/nsswitch.conf
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
group: files winbind
hosts: files dns
passwd: files winbind
# cat /usr/local/etc/smb.conf
workgroup = COTN
realm = INTERNATIONALOFFICE.COTNI.ORG
security = ADS
password server = cotn-fs.internationaloffice.cotni.org
encrypt passwords = yes
use kerberos keytab = Yes
allow trusted domains = No
idmap backend = ldap
idmap uid = 1000-100000
idmap gid = 1000-100000
log level = 100
syslog only = Yes
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = sfu
winbind offline logon = Yes
winbind refresh tickets = True
winbind use default domain = Yes
changing security = ldap to security = ad results in...
May 16 14:41:58 fileserver winbindd: ERROR: Could not get methods for backend ad
May 16 14:41:58 fileserver winbindd: [2008/05/16 14:41:58, 0] nsswitch/idmap.c:idmap_init(728)
May 16 14:41:58 fileserver winbindd: Aborting IDMAP Initialization ...
I found (via google) the same issue on a number of systems but for older versions of samba - no idea if the issue persists, or if it's fixed in 3.0.28a (waiting on port update if so)
Sorry, forgot to change the OS
I changed "idmap backend" to "idmap backend = tdb" and it seems to be working with samba-3.0.28a. "ad" still returns the same errors, so i'll leave this bug open if someone else wants to pick it up.
sorry for not coming to this earlier. I think this is not an isue any more. In any case, don't use the deprecated parameters "winbind use default domain" and "winbind enum users/groups". Also "password server" should be automatically got via DNS and not set manually. If you still see the problem with a cleared config with 3.6 or 4.0 please reopen this bug! Thanks.