[Samba] ADS Join and Insufficient Access

[M Maki]

My agency is moving all users and computers to a new domain. Our current domain uses AD and the new domain will use AD. My current samba servers are running 3.0.20a with ADS security with winbind on Debian Stable (Sarge) with no problems.

I set up a test samba server using 3.0.20b, the new krb5.conf and smb.conf.

kinit works fine. ("Authenticated to Kerberos v5")

I prestage the server by adding it to my OU with rights to add it to the domain as I have always done.

When I go to add it to the domain with
  net ads join -U mmaki at NEW.DOMAIN.NET
and enter my password

I get
  ads_add_machine_acct: Host account for smbtest already exists - modifying old account
     (which is normal for prestaged machines)
  ads_join_realm: ads_add_machine_acct failed (smbtest): Insufficient access
  ads_join_realm: Insufficient access

I have no problem adding Windows workstations with the same account, it's just adding the samba server.

What could I be missing?

Thanks,
Mike

Here is my smb.conf:
[global]
       netbios name = smbtest
       workgroup = NEW
       realm = NEW.DOMAIN.NET
       security = ADS
       password server = 10.0.1.1
       log file = /usr/local/samba/var/%m.log
       preferred master = No
       local master = No
       domain master = No
       idmap uid = 10000-40000
       idmap gid = 10000-40000
       # winbind use default domain = Yes
       winbind enum users = No
       winbind enum groups = No
       winbind nested groups = Yes
       socket options = TCP_NODELAY
       socket options = SO_RCVBUF=8192

[test]
       path = /home
       read only = No
       admin users = "NEW\mmaki"