samba - Jun 2006 - 64-bit RHEL4 BDC doesn't allow workstation logons

I'm trying to set up Samba on RHEL4 as a BDC for subnet 10.6.0.0/16.  The
PDC is located at another site and on another network. Its IP address is
10.2.0.2. There are other BDCs on subnets 10.1.0.0/16, 10.3.0.0/16, and
10.4.0.0/16 that all function fine.  This is the only one on RHEL and this
is the only one on a 64 bit box.

We are using ldapsam for the passdb.  The important config lines are:

[global]
workgroup = AEI
netbios name = APPDEVEL-BIS
passdb backend = ldapsam:ldap://ldap.server.name
local master = yes
preferred master = no
domain master = no
os level = 33
domain logons = yes
wins server = 10.2.0.2

I have used smbpasswd -w secret, as well as net rpc join with a successful
domain join.  

Whenever someone logs in on a computer joined to the domain on this subnet
(and all the computers in this domain were already joined to the domain AEI
before this BDC was put into place) they get the:

"Windows cannot connect to the domain, either because the domain controller
is down or otherwise unavailable, or because your computer account was not
found. Please try again later. [...]"

Modifying the config file to say domain logons = no passes the logon to
another DC and then the logon works.

Logs at log level 5 say such scary things as:
[token.log, a workstation trying to log in]

[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/06/05 12:13:07, 5] auth/auth_util.c:is_trusted_domain(1491)
  is_trusted_domain: Checking for domain trust with [AEI]
[2006/06/05 12:13:07, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(
334)
  secrets_fetch failed!
[2006/06/05 12:13:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/06/05 12:13:07, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain AEI found.
[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(133)
  attempting to make a user_info for  ()
[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(143)
  making strings for 's user_info struct
[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(185)
  making blobs for 's user_info struct
[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user []\[]@[TOKEN]
with the new password interface
[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [AEI]\[]@[TOKEN]

At which point it looks like it tries guest access by mapping null user to
nobody, which isn't allowed, and fails.

I'm convinced that the machine actually doesn't believe that it's a
domain
member.  For instance, in Printers and Faxes, it says the privileged user is
APPDEVEL-BIS\Administrators, not AEI\Administrators. etc.  That would seem
to make some sense with its behavior, but I don't know how else to convince
it it's a domain member other than what I've already done with net rpc
join,
which has been successful for me in the past.  But what's also bizarre is
that after one gets logged in, you can browse APPDEVEL-BIS's shares fine
without having to log in, and with seemingly the correct access levels.

Is there a 64-bit issue going on here?  Or maybe a library version issue?
Right now I'm using samba 3.0.10 which comes with RHEL4, but I have
experienced the same problems with 3.0.22 built from source and I'm staying
on 3.0.10 right now because I'm querying Red Hat support with this same
question -- though they seem just as stumped as I am so far.

Can someone please give me some pointers where I can look next?

--
Scott Moorhouse                   : < smoorhouse@ae-solutions.com >
Systems Architect                 : Applied Engineering, Inc.
Red Hat Certified Engineer        : Bismarck, ND