[Samba] No KDC in requested realm (workgroup name)

[chris at chrullrich.net]

Hello all,

this is with Samba 3.3.4 on FreeBSD, built locally from ports. The
server is joined to a Windows 2008 AD domain. I'm only using winbind,
because all I need are users and groups; this isn't a file server.

As far as I can tell, it is actually working fine; winbindd can get
all the required information from the DC.

The NetBIOS name of the domain is MYDOMAIN, the DNS name is 
my-domain.local, the Kerberos realm is accordingly MY-DOMAIN.LOCAL .

smb.conf:

        workgroup = MYDOMAIN
        realm = MY-DOMAIN.LOCAL

The problem I have are a lot of lines like this in log.wb-MYDOMAIN and
log.winbindd: 

[2009/06/09 00:06:17,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
  ads_krb5_mk_req: krb5_get_credentials failed for dc1$@MYDOMAIN (Cannot contact any KDC for requested realm)
[2009/06/09 00:06:17,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot contact any KDC for requested realm

As you see, it's trying to find a KDC for the _workgroup_ name, not the
DNS name. I suppose that it has no trouble locating a DC for the correct
realm name (because it doesn't log any errors and that part of it works
fine).

wbinfo --all-domains gives me this:

BUILTIN
INFRA2 (which is the host name)
MYDOMAIN (the NetBIOS name again)

The first attempt to "net ads join" the domain also _apparently_ failed
with the same symptom, the second attempt worked (well, it told me the
DNS update failed, but that's most likely a permissions issue with the
preexisting DNS record).

Is this simply a cosmetic issue, or is there more to it?

Thanks in advance for you help,

-- 
Christian Ullrich