=> ginving a broadcast address only works if it is the second argument; `findsmb <broadcast>` and `findsmb -r -d <broadcast>` give the same result as `findsmb`.
In the first loop of smbclient (l 25-33), the first two arguments are parsed for '-d' and '-r' no matter what, then $_, still equal to the second argument, is used as a broadcast address.
The line '$_ = shift;' (l 26) should only be executed before the loop and after each successfull argument parsing to correct this.
=> some PDC aren't displayed: only hosts with an '<hostname|groupname> <00>' entry are used (l 78, l 92) in the individual nmblookups, but some of my servers don't have either (none of my Debian/samba-3.5.6 do, but a Gentoo/samba-3.4.9 with exactly the same smb.conf has both).
I still haven't found any piece of documentation referring to these <00> endchars being mandatory or not, but if it is legal for a PDC/BDC not to send it's name/domain-name this way, then findsmb should also (or only) try <20> enchars, which seem to be sent by all samba instances.