samba - Jan 2012 - Samba 4 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed

Hi everyone
I'm using nslcd to connect to Samba 4 LDAP. If I specify the binddn and 
bindpw in /etc/nslcd.conf no problem getent passwd works and everything 
is mapped just fine.

But when I try try to do a kerberized bind to Samba 4 LDAP, I get this:

ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:33002 for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server 
ldap/hh3.site at HH3.SITE that was not found
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:33002

OK fine. So I use samba-tool to make a principal ldap/hh3.site and stick 
it in a keytab. I use kinit to get a ticket for the principal holder. 
Now that it can find the principal I get this error:

ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:33982 for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T23:22:44 starttime: 
2012-01-19T23:25:59 endtime: 2012-01-20T09:22:44 renew till: 
2012-01-20T23:22:38
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed

I think that this has something to do with what the KDC has and what the 
keytab has. The KDC and the keytab are on the same openSUSE machine. 
Deleting the principal brings me back to the first error and recreating 
it to the second.

Can any Kerberos gurus help me with this one?
Thanks
Steve