Samba 3.0.x does not store the kerberos keytab entries in the default file 
system keytab, making it impossible for other services on the system (i.e. 
openssh, openldap, ksu, etc) to function.   In the URL field above I've 
specified a link to a patch that I've been working on that fixes this issue.

The patch will not modify the existing internals of smbd or net, but will 
supplement those binaries by making them write out a keytab when doing things 
like joining a machine to a domain.   In addition, the patch will change smbd 
to try to verify a kerberos message in addition to doing the routines that were 
previously in kerberos_verify().  The reason for this change is that with a 
file based keytab, samba can store both the current kvno entries and the 
previous kvno entries.   This is useful because if a machine's password is 
changed, the clients that have existing kerberos session keys will be unable to 
connect until those session keys time out or the client reboots.   Keeping the 
old entries in the keytab is what microsoft does to avoid this problem.   
Again, this behavior is implemented in a way so the smbd process will try to 
use the system keytab, and if that fails, it will run the previous kerberos 
verification routine.