samba - Oct 2005 - samba-3.0.10-1.4E (RHEL4): logon failures with 2003 server pdc

I recently set up a new RHEL4 server with samba-3.0.10 in a Windows 2003
server PDC domain.

I can log on as one user from different workstations on to the new samba
server. With several other users, I get this error:

Oct 18 16:41:34 samba-server smbd[2502]:   krb5_rd_req(CIFS/samba-server@MY.DOM)
failed: Wrong principal in request
Oct 18 16:41:34 samba-server smbd[2502]: [2005/10/18 16:41:34, 0]
libads/kerberos_verify.c:ads_keytab_verify_ticket(113)

[2005/10/18 16:41:42, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113)
krb5_rd_req(CIFS/SAMBA_SERVER.my.dom@MY.DOM) failed: Wrong principal in request

The users are able to log on to other servers just fine and should have all
the needed permissions to log on to the share.

Can anyone give me some clue what that error means?

Some relevant lines from smb.conf:

   workgroup = MY

   password server = pdc-server.my.dom
   realm = MY.DOM
   security = ADS
   client schannel = no
   use spnego = Yes
   client use spnego = Yes
   use kerberos keytab = Yes

  encrypt passwords = yes

   wins server = <pdc-server.my.dom ip>

On Tue, Oct 18, 2005 at 04:43:12PM +0300, you [Ville Herva]
wrote:
> I recently set up a new RHEL4 server with samba-3.0.10 in a Windows 2003
> server PDC domain.
> 
> I can log on as one user from different workstations on to the new samba
> server. With several other users, I get this error:
> 
> Oct 18 16:41:34 samba-server smbd[2502]:  
krb5_rd_req(CIFS/samba-server@MY.DOM) failed: Wrong principal in request
> Oct 18 16:41:34 samba-server smbd[2502]: [2005/10/18 16:41:34, 0]
libads/kerberos_verify.c:ads_keytab_verify_ticket(113)
> 
> [2005/10/18 16:41:42, 0]
libads/kerberos_verify.c:ads_keytab_verify_ticket(113)
krb5_rd_req(CIFS/SAMBA_SERVER.my.dom@MY.DOM) failed: Wrong principal in request
> 
> The users are able to log on to other servers just fine and should have all
> the needed permissions to log on to the share.
> 
> Can anyone give me some clue what that error means?
> 
> Some relevant lines from smb.conf:
> 
>    workgroup = MY
> 
>    password server = pdc-server.my.dom
>    realm = MY.DOM
>    security = ADS
>    client schannel = no
>    use spnego = Yes
>    client use spnego = Yes
>    use kerberos keytab = Yes
> 
>   encrypt passwords = yes
> 
>    wins server = <pdc-server.my.dom ip>
I appears that it's the workstation I try to connect from that is
significant, not the username. Some workstations work, some don't - with the
same username. The ones that work are not members of the domain, the ones
that don't are.

I also have 

   netbios name = SAMBASERVER
   netbios aliases = OTHERNAME

in smb.conf.

What's even more curious is that on I can log on from the workstations that
don't work with \\SAMBASERVER\SHARE using \\OTHERNAME\SHARE. Even browsing
\\SAMBASERVER doesn't work, but \\OTHERNAME does. And on certain,
non-domain, workstations both work.