This is a remainder of the well-known (and documented) error that comes up with using a Samba-Domain-Controller in a replicated OpenLDAP-Setup: If you join a workstation onto a Domain-Controller that itself is configured to use a readonly OpenLDAP-Slave the account is not replicated fast enough. Thus the modified or created account will not be found by the subsequent pdb-functions and your domain join will fail. The problem is very easy to workaround with simple sleep-calls in passdb/passdb.c:local_password_change and/or source/rpc_server/srv_samr_nt.c (don't remember where exactly) Andrew Bartlett proposed to invent sequence-number(s) to track replicated entries.
Oh. Stefan (Metze) Metzmacher started a discussion about this topic already a year ago(!): http://marc.theaimsgroup.com/?l=samba-technical&m=103546406125730&w=2
Metze's patch has been applied, adding an 'ldap replication sleep'.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.