diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 504f594..6b24a19 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -434,6 +434,7 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
 	} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
 		if (memcmp(base->key.key, zeros,  
 			   sizeof(base->key.key)) != 0) {
+			DEBUG(0, ("Key for user session key decryption: %x %x %x\n", creds->session_key[0], creds->session_key[1], creds->session_key[2]));
 			netlogon_creds_arcfour_crypt(creds, 
 					    base->key.key, 
 					    sizeof(base->key.key));
diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index 0672f67..6c0e682 100644
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -176,6 +176,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 	SIVAL(seq_num, 4, state->initiator?0:0x80);
 
 	if (do_unseal) {
+		DEBUG(0, ("SCHANEL KEY=%x %x %x\n",state->creds->session_key[0],state->creds->session_key[1],state->creds->session_key[2]));
 		netsec_do_seal(state, seq_num,
 			       confounder,
 			       data, length);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index df83dc6..6454910 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1224,6 +1224,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 
 	generate_random_buffer(chal, 8);
 	if (lp_client_ntlmv2_auth()) {
+		DEBUG(10, ("We have lp_client_ntlmv2_auth %s %s\n",name_user, name_domain));
 		DATA_BLOB server_chal;
 		DATA_BLOB names_blob;
 		DATA_BLOB nt_response;
@@ -1314,6 +1315,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 		}
 		auth = netlogon_pipe->auth;
 		if (netlogon_pipe->dc) {
+			DEBUG(1, ("This is netlogon_pipe->dc\n"));
 			neg_flags = netlogon_pipe->dc->negotiate_flags;
 		}
 
@@ -1965,7 +1967,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 		if (netlogon_pipe->dc) {
 			neg_flags = netlogon_pipe->dc->negotiate_flags;
 		}
-
+		DEBUG(0, ("Forcing validation to 3\n"));
+		domain->can_do_validation6 = false;
 		if (auth == NULL) {
 			domain->can_do_validation6 = false;
 		} else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {