samba - Dec 2006 - weird kerberos enctype error on otherwise working 3.0.23d install

I have a Samba-3.0.23d installed on a CentOS4.4 server that cannot be
connected to from other machines in the same W2K3 ADS. The server was
added to the ADS successfully via "kinit admin@REALM" and "net
ads
testjoin" works just fine. The clocks are NTP-synced and no clock slew
errors are to be seen.

If WinXP/Win2K3 clients connect using \\ip.address\ it works fine, but
if they use the hostname (short or FQDN), they fail to connect (even to
get a share listing). They are prompted to login, and if they enter the
very same username and password they are currently logged under Windows
with - it works!

It is almost definitely a Kerberos problem. Looks like a failed ticket
exchange, leading to the failed login, and when the user manually types
in their creds again, it does a NT4-style connect and it works?

Anyway, "log level = 9" shows the failed connection showing errors
like:

[2006/12/21 07:56:19, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2006/12/21 07:56:19, 3] libads/kerberos_verify.c:ads_verify_ticket(399)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2006/12/21 07:56:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(202)
  Failed to verify incoming ticket!
[2006/12/21 07:56:19, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(204) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2006/12/21 07:56:19, 5] lib/util.c:show_msg(485)


I have re-added the machine to the domain without any change. Any other
ideas? I have just finished adding 16 Samba servers to 4 different
domains and this is the only one to fail in such a way. I'm a bit stumped...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1