samba - Sep 2010 - cross-realm Kerberos trust with a third Windows domain

Here is our scenario.  We have a Windows 2008 domain I'll call CORP and
an MIT realm I'll call REALM.   There is a one-way trust (AES enabled)
such that users in the CORP domain can access REALM resources.  If I log
into a CORP workstation, I can access REALM resources as expected
(including samba).

 

We have a third Windows 2008 domain I'll call LAB.  If I log into a LAB
workstation as a CORP user, and try to get to a REALM samba share, it
won't connect and I get a very nondescript Windows error (normally a
'the network name no longer exists').  

 

Using a packet capture and the 'klist ticket's command, I see I am
getting the correct cifs Kerberos ticket for the samba server.  Other
kerberized resources (web, ssh) work - but samba won't connect.  I am
fairly certain Kerberos is working correctly, but samba won't allow the
connection (I see SMB packets, but only about a half-dozen, and nothing
indicating what the error might be)

 

Is there any known reason why this configuration won't work?  Is there a
workaround?  Any suggestions on troubleshooting this?

 

Thanks much,

Blake