Samba with ADS authentication

[bomahony]

I managed to set this up on a test box, and it is working fine. However i now have to set it up on a replica of a live system, in a test network and I hhave no idea how to troubleshoot it.
Running samba3-3.4.11-42.el5 on RHEL5.5

smb.conf has:
[global]
workgroup = XXX
realm = XXX.COM
security = ads
# use kerberos keytab = yes

krb5.conf has:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = XXX.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
XXX.COM = {
kdc = ANIMAL.XXX.COM:88
# admin_server = animal.example.com:749
# default_domain = xxx.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

And nssswitch has:
passwd: files winbind
shadow: files winbind
group: files winbind

Here is what i did:
1. Upgrade samba client from the base version (3.0.X) to 3.4
2. Install the corresponding server and winbind
3. Copy nsswitch, smb.conf and krb5.conf to the server.
4. run kinit amdin. This worked.
5. ran klist. this showed the correct domain token
6. Ran kdestroy
7. Ran "join ads -U admin" This worked.
8. when i run "net ads testjojn" ot says join is ok.

HOWEVER when i try to browse to the server, it pops up an login box. When i check the logs it is giving:
check_ntlm_password: Checking password for unmapped user [XXX]\[brian]@[soundwave] with the new password interface

So its not mapping the users to ADS.

I have no idea how i managed to get it working on the other system.

I have obviously forgotten something.

[bomahony]

I can see the users and groups with wbinfo -g and -u.

Why is samba not using winbind to look up the user?