We finally figured out some issues related to binding our Panther Macs. Works great now (haven't tested single-sign on for shares yet, though). However, a few systems wouldn't bind, despite performing the exact same steps as other systems. It turns out this was because those systems had a DNS "cname" (alias) that differs from its "true" hostname. Well, we just used that name instead (created it in Active Directory Users and Computers) when binding. Works fine.
Another issue we're having is that with our HUGE AD (million+ users), we're not able to use the "allow administration by" feature. It simply does not notice that particular users are in that group. The directory utilities (e.g. lookupd) don't report the proper group associations. I hope this gets fixed, because that is a HUGE benefit to using a directory service (no need to configure "admins" on every single box).