[Samba] smbclient fails only for the domain Administrator

[steve]

4.0.6 with 3.6.12 file server
Hi
Ordinary users can connect fine:

smbclient //oliva/users -Usteve2
Enter steve2's password: 
Domain=[HH3] OS=[Unix] Server=[Samba 3.6.9]
smb: \> 

log:
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/OLIVA
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/OLIVA
auth_check_password_send: Checking password for unmapped user
[HH3]\[steve2]@[\\HH16]
auth_check_password_send: mapped user is: [HH3]\[steve2]@[\\HH16]

 getent passwd steve2
steve2:*:3000023:20513:steve2:/home/users/steve2:/bin/bash
--------------------------

But Administrator (with rfc2307 attributes) can't:
  smbclient //oliva/users -UAdministrator
Enter Administrator's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

log:
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/OLIVA
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/OLIVA
auth_check_password_send: Checking password for unmapped user
[HH3]\[Administrator]@[\\HH16]
auth_check_password_send: mapped user is: [HH3]\[Administrator]@[\\HH16]
-------------------------------------
getent passwd Administrator
Administrator:*:3000099:20513:Administrator:/:

getent group Domain\ Users
Domain Users:*:20513:
-------------------------------------
smb.conf on the Samba3 file server:
[global]
workgroup = HH3
realm = HH3.SITE
kerberos method = system keytab
security = ADS
#username map = /home/steve/smbusers

[users]
path = /home/users
read only = No

[profiles]
path = /home/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = No
guest ok = No
printable = No
profile acls = Yes
csc policy = disable

[shared]
path = /home/shared
read only = No
-------------------------------------------

Question: Why can ordinary users connect, but not the domain admin?
Thanks, Steve