samba - Jun 2007 - Credential caching (I guess) problems

I am trying to get rid of our broken domain out here.  I could go on for
hours about how it was not built at all sanely...

Anyway, in the attempt to remove it so that we can start over I built a
samba box, joined it to the domain long enough to vampire the accounts
down and then booted it from the domain (since my problems with
elections went unanswered).

I have a user not on the domain trying to connect to my new server.  His
box is trying to login with SPNEGO but failing because his local user
name (this particular user is named Administrator locally) is not his
domain username.

The system eventually gives up (3 attempts) and says "Account locked
out."  It does this without EVER prompting for a user name and password.
How on earth do I fix that so if SPNEGO fails it tries to
(re-)authenticate the user?  

samba 3.0.24-2ubuntu1.2 
# testparm
[global]
        display charset = UTF8
        workgroup = IWU_LEARN
        server string = %h server (Samba, Ubuntu)
        client schannel = No
        obey pam restrictions = Yes
        passdb backend = tdbsam
        algorithmic rid base = 10000
        passwd program = /usr/bin/passwd %u
        username map = /etc/samba/users.map
        restrict anonymous = 2
        lanman auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 1
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        smb ports = 139
        min protocol = NT1
        max mux = 100
        max xmit = 65535
        deadtime = 900
        max disk size = 5240
        socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
IPTOS_THROUGHPUT
        load printers = No
        domain logons = Yes
        os level = 1
        lm announce = No
        wins server = 192.168.132.25
        lock spin count = 30
        lock spin time = 15
        remote announce = 192.168.132.255/IWU_LEARN
        panic action = /usr/share/samba/panic-action %d
        invalid users = backup, bin, daemon, dhcp, games, gnats, irc,
klog, list, lp, mail, man, news, nobody, postfix, proxy, sync, sys,
syslog, uucp, www-data, root
        hosts allow = 192.168.132., 10., 172.16.1., 127.0.0.1
        hosts deny = 0.0.0.0/0
        ea support = Yes
        map acl inherit = Yes
        change notify timeout = 300

[homes]
        comment = Home Directories
        valid users = %S
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /home/samba/netlogon
        guest ok = Yes
        share modes = No

[IPC$]
        path = /var/empty
        guest ok = Yes

[ADMIN$]
        path = /var/empty
        guest ok = Yes

[template]
        path = /tmp
        read only = No
        create mask = 0775
        directory mask = 0775
        strict allocate = Yes
        use sendfile = Yes
        case sensitive = Yes
        preserve case = No
        hide special files = Yes
        hide unreadable = Yes
        hide unwriteable files = Yes
        browseable = No
        fstype = FAT
        wide links = No

[testshare]
	copy = template