samba - Oct 2004 - winbind doesn't follow updateref in replica ldap server

Hello all,

I have setup an HA cluster running under Debian GNU/Linux with
samba 3.0.7, openldap 2.0.23 with two machines.  Each
machine runs winbindd and slapd.  One additionally runs slurpd
to replicate to the other.   Replication works but
winbind seems to add entries on the secondary ldap server
and not follow the updateref given from the server.
This is a problem since the ldap database run out of sync.
The relevant configuration items are:

primary:
slapd.conf:

replica host=secondary:389 bindmethod=simple 
binddn=cn=admin,dc=domain,dc=com credential=secret

smb.conf:

idmap uid = 10000-650000
idmap gid = 10000-650000
winbind enum users = yes
winbind enum groups = yes
idmap backend = ldap:ldap://localhost
ldap admin dn = "cn=admin,dc=domain,dc=com"
ldap suffix = "dc=com,dc=com"


secondary:
slapd.conf:

updatedn cn=admin,dc=domain,dc=com
updateref ldap://primary

smb.conf:

idmap uid = 10000-650000
idmap gid = 10000-650000
winbind enum users = yes
winbind enum groups = yes
idmap backend = ldap:ldap://localhost
ldap admin dn = "cn=admin,dc=domain,dc=com"
ldap suffix = "dc=com,dc=com"

(I have not setup an ou=idmap but this shouldn't matter)

I have added the credential wich "smbpasswd -w" on both servers.
winbind stores the idmap entries in the ldap database.  But when
I do "su <some ads user>" on the secondary the uid of <some
ads user>
is stored in the ldap database of the secondary when the uid
hasn't been seen before on the primary.  When I do
"su - <another ads user>" on the primary the idamp is stored
in the ldap database of the primary and replicated to the
secondary correctly.
There are no log messages the indicate a  problem or a hint
for a solution.  I have seen a message on this list concerning
the same problem but no answer, so I thought I give you a little
more information on this.

thanks,

	Peter