[Samba] Administrator cannot connect to samba on 2008 R2 ADS members

[Bruce Richardson]

I have an odd situation where Samba 3.x domain members in an Active
Directory 2008 R2 domain cannot authenticate the Administrator.  All
other users work, but if I try to connect to the samba services as the
domain Administrator, authentication fails.  The Windows domain
controllers are happy to accept connections from the Administrator (e.g.
using smbclient) but the Linux (Centos 5.5 and 5.6) domain members are
not (I have encountered this problem with both Samba 3.3.8 and 3.5.4).

Direct kerberos authentication using the Administrator account works
just fine, as does ldap authentication (I am using ldap rather than
winbind in nsswitch.conf and I can ssh into the Linux domain members
just fine as the Administrator).  

I can attach detailed logs if wanted, but am not sure which detail is
relevant.  Here's the smb.conf:

#======================= Global Settings =====================================

[global]

        workgroup = HQ
        realm = HQ.CORP.COM
        server string = 
# ----------------------- Domain Members Options ------------------------

        security = ADS
        passdb backend = tdbsam

# ------------------------- Winbind Options ------------------------------

        client ldap sasl wrapping = seal
        idmap backend = tdb
        idmap uid = 10000-19999
        idmap gid = 10000-19999
        idmap config HQ : backend = ad
        idmap config HQ : range = 10000-19999
        winbind nss info = rfc2307

-- 
Bruce

Hierophant: someone who remembers, when you are on the way down,
everything you did to them on the way up.