samba - Sep 2011 - kinit succeeded but ads_sasl_spnego_krb5_bind failed

BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }Hi,
 I've seen many people complain about this error message by Googling
around, but I've never found a satisfactory explanation as to the
cause and resolution.  I'm hoping someone on the list will be able to
point me in the right direction?
 I'm attempting to get a RHEL 5.5 client configured to use winbind
auth against Windows 2003 R2 AD (in fact my end game is to get all
NIS maps served from AD, but one step at a time).
 I've been following these steps:
 http://wiki.samba.org/index.php/Samba_&_Active_Directory
 But when I come to issue the 'net ads join' command:
 # net ads join -U administrator
 administrator's password:
 [2011/09/20 10:57:00, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials
 Failed to join domain: Invalid credentials
 So having manually configured it, I decided maybe 'authconfig' could
help.  I have no graphics here, so tried a command-line approach:
 # authconfig --enablecache --enablewinbind --enablewinbindauth
--smbsecurity ads --smbrealm FMTEST.NET 
         --smbidmapuid=100-4294967294 --smbidmapgid=100-4294967294
--enablewinbindusedefaultdomain 
         --enablewinbindoffline --winbindjoin=Administrator --update
 This made no difference (same error when trying to join).  Apart
from adding the 'winbind offline logon' option which I omitted from
my manual approach, using the old idmap features instead of the new
ones, and setting up PAM for winbind (which I hadn't got around to
yet) there was no difference in config.
 Debug modes, RHEL logs, Windows event logs, network traces - I've
looked at them all and can't find anything that points to the exact
problem.
 Some pertinent info:
 # cat /etc/redhat-release
 Red Hat Enterprise Linux Server release 5.5 (Tikanga)
 # rpm -qa | egrep 'samba|libsmb'
 libsmbclient-3.0.33-3.29.el5_5.1
 samba-client-3.0.33-3.29.el5_5.1
 samba-3.0.33-3.29.el5_5.1
 samba-common-3.0.33-3.29.el5_5.1
 # testparm
 Load smb config files from /etc/samba/smb.conf
 Loaded services file OK.
 Server role: ROLE_DOMAIN_MEMBER
 Press enter to see a dump of your service definitions
 [global]
         workgroup = FMTEST
         realm = FMTEST.NET
         server string = Linux Test Machine
         security = ADS
         passdb backend = tdbsam
         log file = /var/log/samba/%m.log
         preferred master = No
         idmap domains = ALLDOMAINS
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nss info = rfc2307
         winbind offline logon = Yes
         idmap config ALLDOMAINS:default = yes
         idmap config ALLDOMAINS:backend = ad
         idmap config ALLDOMAINS:range = 100-4294967294
         idmap config ALLDOMAINS:schema_mode = rfc2307
 # cat /etc/krb5.conf
 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
 [libdefaults]
  default_realm = FMTEST.NET
  dns_lookup_realm = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes
 [realms]
  FMTEST.NET = {
   default_domain = fmtest.net
  }
 [domain_realm]
  .fmtest.net = FMTEST.NET
  fmtest.net = FMTEST.NET
 [appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
 Can you advise?
 Thanks,
 Mark.