samba - Aug 2012 - samba4+sssd+centos6

In need of some help here. I hope I haven't trimmed this too much.

As I mentioned before, I have a CentOS 6.3 system using SSSD (only) bound 
to the samba4 DC as an LDAP server using the following in sssd.conf:

[domain/SAMBA]
 	ldap_default_bind_dn = CN=Administrator,CN=Users,DC=...
 	ldap_default_authtok = <supersecret>
 	ldap_default_authtok_type = password
 	...

and everything works as expected (dns, kinit, passwd, etc are all good). 
Samba is not in use on the client. There are no Windows servers.

To avoid the need to embded the admin password, I have proceeded as 
follows:

* Joined the client to the  domain, creating an appropriate UPN (client is
   using Samba 3.5.10):

 	# kinit Administrator
 	# net ads join <domain> createupn=host/<client>@<REALM> -k

   where <client> is the (short) client hostname, and <REALM> is of
course
   the uppercase kerberos realm name. This succeeds. I can see the
   appropriate CN=<client>,CN=Computers,... entry appear in the DC
   database, and the userPrincipalName entry therein is correct.

* On the DC, extract the keytab:

 	# samba-tool domain exportkeytab client.keytab --princ=host/client at REALM

   and this also works. The client.keytab is transferred to the client and
   installed as /etc/krb5.keytab with the proper ownership and permissions.

* On the client, verify the keytab:

 	# klist -k /etc/krb5.keytab
 	Keytab name: WRFILE:/etc/krb5.keytab
 	KVNO Principal
 	--------------------------------------------------------------------------
 	   1 host/<client>@<REALM>
 	   1 host/<client>@<REALM>
 	   1 host/<client>@<REALM>

* On the client, change the three ldap_default_ lines to:

 	ldap_sasl_mech = GSSAPI
 	ldap_sasl_authid = host/<client>@<REALM>

   and restart sssd.

The result: nothing. I can no longer (getent passwd user) see any users 
or groups; basically nothing works. I get this in /var/log/messages:

Aug 10 15:58:47 <client> sssd_be: GSSAPI Error: Unspecified GSS failure.
 	Minor code may provide more information (Server not found in Kerberos
 	database)

and I really do not know what this is trying to tell me, as so far as I 
know the kerberos database is fine. Please, someone give me a clue! TIA,

Steve

As I mentioned before, I have a CentOS 6.3 system using SSSD (only) bound to 
the (separate) samba4 DC as an LDAP/krb5 server. Client is using Samba 
3.5.10.

I have successfully joined the client to the domain. Keytab is fine, 
kerberos works, ldapsearch works, etc. DNS is good. The machine entry in 
the DC database looks fine, and the userPrincipleName is correct. However, 
any attempt to look up a user (eg with getent, id, ssh login, etc) fails 
and leaves this evidence of a failed SASL bind in the client's sssd log:

(Thu Aug 16 13:58:37 2012) [sssd[be[SAMBA4]]] [sasl_bind_send] (0x0100):
 	Executing sasl bind mech: GSSAPI, user:
 	host/gulp.icse.cornell.edu at TITAN.TEST.CORNELL.EDU
(Thu Aug 16 13:58:38 2012) [sssd[be[SAMBA4]]] [sasl_bind_send] (0x0020):
 	ldap_sasl_bind failed (53)[Server is unwilling to perform]

and from the samba log on the DC, it looks as if everything proceeds OK 
until the connection is suddenly dropped. I don't see what the reason
for this is; a level 10 log is at:

 	http://www.cbe.cornell.edu/~smt/samba4.log

(the DC is s6a.titan.test.cornell.edu, and the client is gulp.icse.cornell.edu,
on the same LAN segment. The kerberos realm is TITAN.TEST.CORNELL.EDU).

I'd appreciate it if someone could take a look at this debug log and try 
to pinpoint the cause, because I surely can't see it. TIA!

Steve