[Samba] security=ADS related question

[good ol' fighter]

Hi all,

I am just struggling with SAMBA design and i was wondering whether anyone
here can help.  In my environment, there is an AD server and my SAMBA
server is on an AIX box.  I need to set up SAMBA so that it will use AD
authentication AND few particular users found in AD (but not yet in AIX)
will need to own the files within SAMBA shares. Is that possible?  The
thing is.. other than those 2 or 3 AD users being able to authenticate for
SAMBA (and SAMBA ONLY), I really do not want it to be used for AIX
authentication.  So what kind of configuration do I need to try?

I got a server that's checking AD for the password and it appears to be
successful but currently it requires for me to create an entry in
/etc/passwd file

*testuser:!:500:100::/dev/null:/bin/false*


(but no password given).

And my smb.conf looks like below.

*[global]*
*        workgroup = TEST*
*        security = ADS*
*        encrypt passwords = Yes*
*        realm = TEST.TESTDOMAIN.COM*
*        winbind separator = +*
*        log file = /opt/pware/var/log.%m*
*        lock directory = /opt/pware/var/locks/samba*
*        client schannel = no*
*
*
*        idmap config TEST:default = yes*
*        idmap config TEST:backend = tdb*
*        idmap config TEST:range =  900 ­ 500000*
*        idmap alloc backend = tdb*
*        idmap alloc config:range =  900 ­ 500000*

Am I doing this correctly?  I do not mind creating an entry in AIX but if
anyone can either confirm or disagree what I am doing is correct, that will
be great.

I've ordered "Using SAMBA - 3rd edition" but if someone is using a resource
that's better than that, please point me to it.

Thanks