samba - Oct 2003 - mystified by interaction between krb5.conf, smb.conf, and winbindd

I am stumped here.  I am a novice at using samba to do MS Active
Directory stuff, but I have read everything I could find in the HOWTO
collection and on the linux.samba cache of the list and am still stuck.

A bit of background... I have set up a Windows 2003 server as a domain
controller here and configured it to be the DNS for a ficticious domain
for internal use only.  The domain functional level is Windows 2003.  I
am calling the domain "windomain.nist.gov" and have set up the Win2003
server to do DNS and AD authentication for the "windomain" domain.

I have a Redhat 7.3 machine on my desk that I wanted to add to the AD
domain and do authentication to it using winbind.  I uninstalled the
samba rpms supplied by redhat and installed the samba 3.0.0 binary rpm
compiled for redhat 7.3 by Gerald Carter.  I also got the source for MIT
Kerberos5 1.3.1, compiled it with the prefix "/usr/kerberos" (since
that
is where redhat installs the kerberos stuff) and just installed it on
top of the redhat supplied kerberos stuff since there were too many
dependencies to remove the redhat ones.

I was able to use kinit to get a kerberos ticket and then add my Linux
Samba machine to the AD domain.  I modified smb.conf and krb5.conf and
started winbind and am able to use wbinfo to check some things, but not
others.  

I cannot seem to get "wbinfo -u/wbinfo -g" and "wbinfo -t/wbinfo
-a" to
work simultaneously unless I play a little trick with my krb5.conf
file.  

Here is what happens:

/etc/init.d/smb start
/etc/init.d/winbind start

[root@desktop bin]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
Could not check secret

[root@bhd bin]# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
krbtgt
amunter
IUSR_WINSERVER
IWAM_WINSERVER

so -u worked but -t failed.  Then I go into krb5.conf and comment out
the kdc line like so:

[realms]
        WINDOMAIN.NIST.GOV = {
                admin_server = winserver.windomain.nist.gov
                default_domain = WINDOMAIN.NIST.GOV
                #kdc = winserver.windomain.nist.gov
        }

and now they both work.  However when I then restart winbind with that
line commented out

/etc/init.d/winbind restart

now "wbinfo -t" still works to check the secret, but "wbinfo
-u" does
not work to get the list of users.

Here are the relevant files:

-----------------
krb5.conf
-----------------
[libdefaults]
        default_realm = WINDOMAIN.NIST.GOV

[realms]
        WINDOMAIN.NIST.GOV = {
                admin_server = winserver.windomain.nist.gov
                default_domain = WINDOMAIN.NIST.GOV
                kdc = winserver.windomain.nist.gov
        }

[domain_realm]
        .ncnr.nist.gov = WINDOMAIN.NIST.GOV
        ncnr.nist.gov = WINDOMAIN.NIST.GOV

[logging]
        kdc = CONSOLE

-------------------------
section of smb.conf
-------------------------
[global]
   workgroup = WINDOMAIN
   server string = Alan's Samba 3.0 Server
   realm = WINDOMAIN.NIST.GOV
   security = ADS
   winbind separator = +
   winbind use default domain = yes
   idmap uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   client use spnego = yes
   template homedir = /home/WINDOMAIN
   template shell = /bin/bash
   password server = WINSERVER

-------------------------

I only have one DNS server in resolv.conf and that is pointing to the
windows DC.  

Any suggestions for what is going wrong or what other log files I should
look at to figure out whats up?

Thanks for any suggestions,

Alan
-- 
Alan E. Munter                         NIST Center for Neutron Research
Physical Scientist                     100 Bureau Dr., Stop 8562
alan.munter@nist.gov                   Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/              (301)975-6244