samba - Nov 2007 - Cannot join Samba server to the ADS domain

Hi Guys,

I'm having real problems getting my Samba server to join the ADS domain.

When I run the join command I get the following error

./net ads join createcomputer="/UK/LDN/CRP-ETS/Servers/PROD" -U 
1r005390@EMEADEV.ADDEV.JPMORGANCHASE.COM%passw0rd
Using short domain name -- EMEADEV
[2007/11/21 19:11:48, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server 
dbmtrdcdev01.emeadev.addev.jpmorganchase.com for domain EMEADEV. Error was 
NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!

I am using Samba-3.0.24 compiled from source.

# Samba config file created using SWAT
# from 169.93.76.145 (169.93.76.145)
# Date: 2007/11/21 19:03:52

[global]
        workgroup = EMEADEV
        realm = EMEADEV.ADDEV.JPMORGANCHASE.COM
        security = ADS
        password server = dbmtrdcdev01.emeadev.addev.jpmorganchase.com
        log file = /usr/local/samba/logs/log.%m
        smb ports = 445
        disable netbios = Yes
        name resolve order = host
        wins server = 169.123.120.127, 169.92.230.51
        ldap ssl = start tls


I know that the Kerberos keys are working as I can login to the ADS 
domain.

# /usr/local/kerberos5/bin/kinit 1r005390@EMEADEV.ADDEV.JPMORGANCHASE.COM
Password for 1r005390@EMEADEV.ADDEV.JPMORGANCHASE.COM:
# /usr/local/kerberos5/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: 1r005390@EMEADEV.ADDEV.JPMORGANCHASE.COM

Valid starting     Expires            Service principal
11/21/07 19:14:54  11/22/07 01:54:54 
krbtgt/EMEADEV.ADDEV.JPMORGANCHASE.COM@EMEADEV.ADDEV.JPMORGANCHASE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

I also know that the tls key authentication is working because I can run 
an ldap query against the domain

# ../../bin/ldapsearch -x -Z -h 
dbmtrdcdev01.emeadev.addev.jpmorganchase.com -s base -b ""
"objectclass=*"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
currentTime: 20071121191608.0Z
......
....
And so on...

Any help would be much apprehicated.

Thanks,

Paddy

-----------------------------------------
This communication is for informational purposes only. It is not
intended as an offer or solicitation for the purchase or sale of
any financial instrument or as an official confirmation of any
transaction. All market prices, data and other information are not
warranted as to completeness or accuracy and are subject to change
without notice. Any comments or statements made herein do not
necessarily reflect those of JPMorgan Chase & Co., its subsidiaries
and affiliates.

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.

Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to UK legal entities.