samba - Jul 2010 - ongoing problems with winbind since we rolled out RODCs

Hi there

We've been merrily chugging away with a large number (>30) of
samba-3.2.11 CentOS4.8 servers for some time now. Unfortunately in the
past two months our AD team has started replacing our Win2K3 domain
controllers with Win2K8 RODC (read-only DCs). As each site has been
migrated over to RODCs, the Samba server associated with that site has
started experiencing sporadic problems. e.g. "net ads testjoin" would
fail ("-d9" would show it failed against the RODC), and yet if you did
a
"net ads testjoin -S real.dc" (ie point back at a Win2K3 DC) that
would
work - and more importantly - would IMMEDIATELY fix the problem with the
RODC!

i.e.

net ads testjoin -S ro.dc - FAILS
net ads testjoin -S rw.dc - OK
net ads testjoin -S ro.dc - OK


Obviously the RODC is clearing out something that is needed for when the
next time Samba comes a-knocking - but the fact is that our Windows
users are not seeing any issues at all - other than these issues with
Samba. I even upgraded them all to Samba-3.5.4 - didn't help a bit.

Right now I've got a new problem: somehow the Kerberos key has become
corrupt or something on one Samba server (primarily) talking to a RODC,
it's reporting

[2010/07/26 01:24:34.498197,  0] libads/sasl.c:820(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt
integrity check failed
[2010/07/26 01:24:34.960102,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password SAMBA-01$@AD.DOMAIN failed: KRB5 error code 29
Join to domain is not valid: Undetermined error

The "Undetermined error" is a bit of a pain :-)

Any ideas what's happening here? I assume tonnes of other Samba sites
talk to RODCs and I haven't heard of this as a general issue?

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1