I can honestly tell you that I do not know the root cause of your problem.
The positive however, is I can tell you that you can achieve what you want. Exactly how to get there from you current position is a different matter.
Let me explain.
For some reason, you question piqued my interest, and a good old web search didn't tell me a lot. The only references I could find that seemed useful ere, for example
http://readlist.com/lists/lists.samb...a/4/23596.html
So, what I decided to do was to take a working PDC setup I have here at home, and the only change I made was to add
obey pam restrictions = yes
to smb.conf.
I then added a line to /etc/security/time.conf to restrict one of the users to weekdays only.
I then added the restriction to system-auth (commented out below)
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
#account requisite pam_time.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
With the pam_time.so uncommented, the user cannot log on to the domain. With it commented out, they are back in.
So my suggestion would be to comment out "obey pam restrictions = yes" in your smb.conf and get your controller working. Then try uncommenting it again.
Note that I was connecting from XP.
Here is the general portion of my smb.conf.
Code:
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
# the login script name depends on the machine name
# the login script name depends on the unix user used
logon script = %U.bat
logon path = \\%L\Profiles\%U
# disables profiles support by specifing an empty path
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"
obey pam restrictions = yes
null passwords = yes
logon drive = l:
logon home = \\%L\home
os level = 35
wins support = yes
Hopefully this helps you somewhat