Correct configuration of pam_winbind.so for login using AD accounts

[Jim Hatfield]

I'm using a newly-installed FBSD 6 system to experiment with
Single Sign-On to an Active Directory network.

Samba is installed, the machine is joined to the domain, winbind
seems to work fine, wbinfo -u lets me enumerate users OK.

I'm trying to work out how to edit the files in /etc/pam.d to get
pam_winbind to let me log on to the console using an AD account.
Most of the Samba docs seems to be Linux-specific and the sample
pam files don't match the ones in the FBSD 6 system.

What I did was to edit /etc/pam.d/login:

add "auth sufficient pam_winbind.so" as the 
penultimate line of the auth section, and the same
in the account section.

If I try to log in as an AD user on the console I get this in
/var/log/messages:

>Nov 23 15:30:36 speyburn pam_winbind[1330]: user 'INTERNAL+jhatfield' granted access
>Nov 23 15:30:36 speyburn pam_winbind[1330]: user 'INTERNAL+jhatfield' granted access
>Nov 23 15:30:36 speyburn winbindd[1324]: [2005/11/23 15:30:36, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
>Nov 23 15:30:36 speyburn winbindd[1324]:   rpc_pipe_bind failed
>Nov 23 15:30:37 speyburn winbindd[1324]: [2005/11/23 15:30:37, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
>Nov 23 15:30:37 speyburn winbindd[1324]:   rpc_pipe_bind failed
>Nov 23 15:30:37 speyburn login[1331]: setlogin(INTERNAL+jhatfield): Invalid argument - exiting

So I'm close but not there yet.

As an aside, I'm confused as to the difference between what
pam_winbind offers and what nss_winbind offers - I would have thought
either of them would be adequate to provide login access.