samba - Feb 2004 - 3.0.2rc2 ads member server: kerberos ok, ntlm fails

Hello,

I set up samba 3.0.2rc2 (also tried 3.0.1 which had other problems) on 
Debian sid as an ADS member server:

- joining the domain works flawlessly

- browsing the samba server via 'smbclient -k -L //samba' works
flawlessly

- browsing the samba server via 'smbclient -L //samba -U user%pw' fails 
with 'session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE'

- browsing an Win2k member server via 'smbclient -L //win2k -U user%pw' 
works flawlessly


Any sugesstions/hints on this from the samba gurus ?
More debug info is available if required.


btw. there is an interessting little thing:

samba client (3.0.1) and samba server negotiated as smb dialect: 'Samba'
according to http://www.ubiqx.org/cifs/SMB.html#SMB.6 this is not used 
anymore ...

samba client ans win2k negotiated as smb dialect: 'NT LANMAN 1.0'
(as expected I would say).



regards
Stefan


my smb.conf:
[global]
         workgroup = ITER
         realm = ITEREU.DE
         server string = %h server (Samba %v)
         security = ADS
         password server = x.x.x.x y.y.y.y
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         server signing = auto
         deadtime = 15
         keepalive = 0
         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
         load printers = No
         lm announce = No
         preferred master = No
         local master = No
         domain master = No
         dns proxy = No
         wins server = x.x.x.x, y.y.y.y
         ldap ssl = no
         utmp = Yes
         panic action = /usr/share/samba/panic-action %d
         invalid users = root
         hide special files = Yes
         delete veto files = Yes
         veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
         map archive = No