We have a couple of samba 3.x servers that are members of our windows AD, and authenticate users via AD. Our realm defininition in kdc5.conf was the likes of domain.net, and our kdc definition was pdc.domain.net. All worked just fine. However, the pdc was taken down for a move, and winbind could no longer look up user accounts. I changed the kdc definition to bdc.domain.net, but it was unable to look up users. Then out of desperation, we changed the kdc definition to the same thing as the realm, just domain.net, and it then was able to look up user accounts again, against the bdc obviously since the pdc was down, but what is puzzling is why when pointed directly at the bdc, it could not. Can anyone shed any light on this?