[Samba] Enabling 'idmap backend = ad' for user auth

[McGlorfin]

I'm using Samba 3.0.21a on Fedora Core 3 to authenticate against an AD 
domain. The box running AD is Win2k3 R2, so AD has the RFC2207 schema 
extensions applied.

I've successfully configured Fedora to do auth through winbind with the 
normal backend (using uid/gid mappings). Now I'd like to reconfig to use 
AD as the backend.

I was able to do this against a pre-R2 Win2k3 server with SFU extensions 
applied to AD. Now I'm working with R2.

I've followed the examples in the man pages and the HOW-TO doc 
(specifically 
http://us5.samba.org/samba/docs/man/Samba3-HOWTO/idmapper.html#idmapadsdms), 
but without success. I've tried various permutations of: restarting the 
Samba processes, leaving and rejoining the domain, tweaking various 
smb.conf parameters, and wiping out the various *.tdb files. No go.

Another data point: "wbinfo -t" succeeds, but "wbinfo -u" fails.
   root# wbinfo -u
   Error looking up domain users

I'm pretty sure there's an error in my smb.conf. (What else could it 
be?) Here are the relevant entries from the global section:
         workgroup = MYDOMAIN
         realm = MYDOMAIN.LOCAL
         security = ADS
         idmap backend = ad
         idmap uid = 300000-30000000
         idmap gid = 300000-30000000
         template homedir = /home/%D/%U
         template shell = /bin/bash
         winbind separator = \
         winbind cache time = 300
         winbind enum users = No
         winbind enum groups = No
         winbind use default domain = Yes
         winbind trusted domains only = Yes
         winbind nested groups = Yes
         winbind nss info = template, sfu

Thanks in advance for any insight you can offer.

-McG