samba - Jan 2007 - Can't get kerberos ticket with samba 3.0.23d and Windows Server 2k3 SP1

Hi,

i've installed Samba 3.0.23d on Solaris 10 (SPARC) with MIT Kerberos 
1.5.1, openLDAP 2.3.30 and openSSL 0.9.8d.

I have 2 Windows Server 2003 SP1 Domain Controller and about 20 Windows 
XP SP2 clients.

My problem is that i can't get a kerberos ticket to join the domain.
If i try to get a ticket with 'kinit Administrator@PONTOS.LOCAL' i get 
always the error
kinit(v5): KDC policy rejects request while getting initial credentials

The time between the Windows and Solaris Server is synced and there is a 
AD-DNS-Server running and (i think so) properly configured.

We have an other samba-server that was installed 1,5 years ago. At this 
time i was able to get a ticket and to join the domain. The only thing 
was changed is the installation of the SP1 on the DCs.

I hope somebody can help me!!

Here are my config files:

/usr/local/samba/lib/smb.conf:
# Samba config file created using SWAT
# from 192.68.254.236 (192.68.254.236)
# Date: 2007/01/09 16:21:44

[global]
         workgroup = PONTOS
         realm = PONTOS.LOCAL
         security = ADS
         map to guest = Bad User
         password server = 192.68.254.81 #That is the IP of the 1st DC
         root directory = /
         username map = /usr/local/samba/private/user.map
         lanman auth = No
         ntlm auth = No
         client NTLMv2 auth = Yes
         client lanman auth = No
         client plaintext auth = No
         log level = 3
         min protocol = NT1
         client signing = required
         server signing = required
         load printers = No
         domain master = No
         ldap ssl = no
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template homedir = /home/%U
         winbind separator = +
         winbind enum users = Yes
         winbind enum groups = Yes
         hosts allow = themisto, psamathe, rhea, agaue, 192.68.254.81, 
192.68.254.82

[local_home]
         path = /local_home
         read only = No

[raiweber]
         path = /local_home/nt4_home/raiweber
         read only = No
         browseable = No

----------------------------------

/etc/krb5/krb5.conf:
[libdefaults]
         default_realm = PONTOS.LOCAL

[realms]
         PONTOS.LOCAL = {
                 kdc = themisto.pontos.local
                 admin_server = themisto.pontos.local
         }

[domain_realm]
         .pontos.local = PONTOS.LOCAL
         pontos.local = PONTOS.LOCAL

[logging]
         default = FILE:/var/krb5/kdc.log
         kdc = FILE:/var/krb5/kdc.log
         kdc_rotate = {
                 period = 7d
                 versions = 10
         }

[appdefaults]
         kinit = {
                 renewable = true
                 forwardable= true
         }


-- 
+--------------------------------------+
| Max Planck Institute for Mathematics |
|        System Administration         |
|                                      |
|  Vivatsgasse 7, 53111 Bonn, Germany  |
|  Tel       +49 (0)228-402-239        |
|  Fax       +49 (0)228-402-277        |
|  Email     raiweber@mpim-bonn.mpg.de |
+--------------------------------------+