samba - Jan 2010 - 0 length domain name & SCHANNEL can't be used to fetch trust account password?

I have a few errors I'm trying to chase down in an effort to get a
Win7 client in my domain.  WinXP works -- tested unjoining and
rejoining today, and it can still join.

I have the registry adds for DNSNameResolutionRequired=0 under
LanmanServer&Client/Params (put it in both places in attempt to get
things working), as well as a DomainCompatibilityMode=1

I've tried moving to winbind for some flexibility, and it led me
down an interesting path with some log messages on startup:

initialize_winbindd_cache: clearing cache and re-creating with version number
1
[2010/01/13 15:46:06,  2] winbindd/winbindd_util.c:235(add_trusted_domain)
 Added domain BUILTIN  S-1-5-32
[2010/01/13 15:46:06,  2] winbindd/winbindd_util.c:235(add_trusted_domain)
 Added domain BLISS  S-1-5-21-33333-77777-33333
[2010/01/13 15:46:08,  0] libsmb/namequery.c:75(saf_store)
 saf_store: refusing to store 0 length domain or servername!
[2010/01/13 15:46:08,  1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pd
u)
 cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR receiv
ed from host ISHTAR!

Anyone seen an error about 0 length names before?

The OP_RNG error led me to try some ops with net rpc on ishtar.

I tried a "net rpc samdump" and got:

get_schannel_session_key: could not fetch trust account password for domain
'BLISS'
cli_rpc_pipe_open_schannel: failed to get schannel session key from server
127.0.0.1 for domain BLISS.
Could not initialise schannel netlogon pipe. Error was
NT_STATUS_CANT_ACCESS_DOMAIN_INFO

----

I presume this isn't just a 'noise level' problem?  How can I
re-initialize the schannel session key for Bliss?

I even tried changing the trustpassword to see if that would reset
the the schannel key.  It failed due to an inability to get the
schannel session key.

Also, maybe it's unimportant, but with winbind running, I tried to
fetch the DC name for my domain with "wbinfo --getdcname
'Bliss'",
but it returned "Could not get dc name for Bliss". Should this work
with samba 3.4.3 ?

The Windows client goes from getting 'Domain name can't be found"
to
"Access Denied" depending on combinations of the Sign/Seal level of
security and NTLM/LM/NTLMv2 params (trying various combinations.
Note: I've tried the identical settings of the XP client without
success).


Anyone solved these problems or seen them before?

Thanks,
Linda

Not sure if this is the right list...

using the ports, I've installed Samba 3.0.3x, 3.3.13, 3.4.8 all with 
LDAP, ADS, WINBIND, ACL_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, EXP_MODULES,
& POPT  enabled in the config.  They've all worked to some degree or
another.  I'm working with a large install of XP clients and some
windows7 clients, so I'm looking toward the future releases for a
long-term solution.  Anyway, I'm letting you know about these options
for install of Samba 3.4.8 because i assume it has installed all the
necessary kerberos stuff as a required dep.  However, as you'll see...
perhaps not.

ran this on the freebsd box

./configure --enable-swat --enable-cups --with-ldap --with-ads
--with-krb5=/usr --with-dnsupdate --with-pam --with-pam_smbpass
--with-syslog --with-acl-support --with-winbind --with-utmp 
--enable-krb5developer

The output is long.  I've pasted it at pastebin.com : 
pastebin.com/smHTLetA

So, trying to compile this with make:  pastebin.com/H2EyWCVr

anyway, it doesn't work, errors out with libsmb/clikrb5.c:1646:2: error:
#error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION

Do I need a newer version of Kerberos on the machine?  or is this some
other error?

thanks,
Jack