I'm not so sure your choice is bad. What I wanted to highlight with my point is that even "the way it works" and what should be investigated is not yet clear.
Just to take an example of why this is not that simple:
- Kerberos, high level, is quite simple but is in fact quite complex and there is a lot of reason why it may fail.
- Because of this, in the Microsoft implementation, when you authenticate with your workstation, if Kerberos fails, then client and server both revert back transparently to NTLM
- one may imagine that Samba, in their willingness to mimic Microsoft, have implemented same mechanism that exists at client level.
Reason why I'm not finger-pointing your comment but ask question to make people investigating further
(I can't as I don't have such system installed)