[SSSD] GSSAPI and Kerberos - understanding question

Hi list I'm sure I have gabs of understanding of how to use SSSD without using plain binding-user credentials in the configfile. I followed the guide for Win2008 allthough I only have 2003 SFU - would that work? - I see it right that GSSAPI should enable looking up stuff in the LDAP using a machine-account instead of the binding-user/passwd? - Kerberos (which has the machine-auth-ticket) comes into play for LDAP, but this exceeds the basic LDAP authentication (eg. Auth via Kerberos on the LDAP server)? Is this enough to feed nsswitch (e.g. getent) or is an additional valid user/pass still required? The trouble I'm having here is the ktpasswd.exe generated-key is always dated at 01/01/70 01:00:00 which I guess is also the reason why ldapsearch -Y GSSAPI and kinit fail? 2003 behaviour? The krb and ldap configuration works quite fine with bind-dn, just struggeling with SASL/GSSAPI. Cheers Josh -- ---- ASG at hnet