samba - Dec 2005 - AD member server setup with winbind idmap_rid - users prompted fo r password

Question:
How can I stop users from being prompted for a password?
Is secrets.tdb needed?
Do you think my problems are caused by having a different workgroup to
realm?

Problems:
I've gone over samba-by-example 7.3.4.1 on setting up idmap_rid with winbind
quite a few times now.  I also checked what JHT has said in chapter 12. All
of it seems correct. However I get loads of this before the machine finally
joins and shows up in the computers container of AD:

[2005/12/30 17:11:45, 0] libads/kerberos.c:get_service_ticket(356)
  get_service_ticket: kerberos_kinit_password
FPSYD$@GUESTSFURNITUREHIRE.COM.AU@GUESTSFURNITUREHIRE.COM.AU failed: Client
not found in Kerberos database
[2005/12/30 17:11:45, 0] libads/kerberos.c:get_service_ticket(356)
  get_service_ticket: kerberos_kinit_password
FPSYD$@GUESTSFURNITUREHIRE.COM.AU@GUESTSFURNITUREHIRE.COM.AU failed: Client
not found in Kerberos database
Joined 'FPSYD' to realm 'GUESTSFURNITUREHIRE.COM.AU'

I also have users being constantly asked for a username & password when they
access their homes share.

secrets.tdb doesn't get created.

These things work:
root# net ads testjoin
Join is OK

wbinfo -t or -u or -g  all show what they are supposed to show.


CONF file below:
[global]
        workgroup = GUESTSHIRE
        realm = GUESTSFURNITUREHIRE.COM.AU
        security = ADS
        allow trusted domains = No
        idmap backend = idmap_rid:GUESTSHIRE=5000-1000000
        idmap uid = 5000-1000000
        idmap gid = 5000-1000000
        winbind use default domain = Yes
        winbind nested groups = Yes