samba - Nov 2008 - Connecting to share - errors authenticating machine account - why?

I've got my smb.conf set as follows:

[global]
disable spoolss = Yes
show add printer wizard = No
security = ADS
log level = 1
realm = FOO.BAR.COM
password server = dc.foo.bar.com
workgroup = FOO
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
idmap backend = ad
winbind nss info = rfc2307
use kerberos keytab = yes
client lanman auth = no
client ntlmv2 auth = yes
idmap uid = 10000-15000
idmap gid = 5000-6000
winbind refresh tickets = yes

When I connect to a share from a test workstation logged in as me, it 
takes a while to connect. In the logs, I see this:

[2008/11/10 11:58:05,  1] smbd/sesssetup.c:reply_spnego_kerberos(474)
   Username FOO+WORKSTATIONNAME$ is invalid on this system

I presume this is because I have rfc2307 set for winbind nss info? The 
behaviour I want, which I am seeing, is that only users in AD which have 
Unix UIDs defined show in getent passwd. Do I need to add a more general 
pool for rids so that they can be generated on the fly for computer 
accounts?

I am trying to use winbind as a general authentication-against-ad 
mechanism on lots of servers, but on the servers that run smbd, I 
also want to be able to serve files to XP clients as 'normally' as 
possible.

I'd appreciate any advice...

Cheers,
Paul