[Samba] samba windows-2-unix group mapping troubles

[no at spam at mgEDV.net]

hi,

i would like to allow access to specific samba shares, where
the windows domain user is NOT authenticated against the share
with it's username, but with a membership of a given windows-group.

example:
windows-domain user "test01" -->
which is a member of windows domain group "smb_test01" -->
which gets mapped to the unix-group "smb01" -->
which is granted access to the share "testshare01".

this is needed to allow group admins to change share access
w/o needing to change anything on the samba server (not even
add local users or change group relationships on the ux server).

the samba 3.0.28 server is configured with SECURITY = ADS, is
a full member of the domain and can authenticate the users
successfully.


smb.conf (essentials shown):
[global]
        netbios name = TESTUNIX
        realm = test.local
        security = ADS
        server string = samba v3 testserver
        workgroup = TEST
        guest account = nobody
        map to guest = never
        idmap gid = 2000-2999
        idmap uid = 2000-2999

[testshare01]
        path = /data/samba/test01
        read only = no
        browseable = yes
        valid users = @smb01


unix user:
smb01:x:2000:2000:testshare01:/data/samba/test01:/usr/bin/ksh


unix group:
smb01::2000:

windows user:
TEST\test01

windows group:
TEST\smb_test01

# net ads join -U <domainuser>%<password>
Using short domain name -- TEST
Joined 'TESTUNIX' to realm 'TEST.LOCAL'

# net groupmap add ntgroup="smb_test01" unixgroup="smb01" type=d
No rid or sid specified, choosing a RID
Got RID 5001
Successfully added group smb_test01 to the mapping db as a domain group

error message from the smb log:
[2009/04/06 17:38:06, 2, pid=9320, effective(0, 0), real(0, 0)] 
smbd/service.c:(616)
  user 'test01' (from session setup) not permitted to access this share 
(testshare01)

please, if someone knows how to solve this, point me in the right direction 
:)

cheers.