samba - Sep 2016 - cifs mount of share fails

Hello,
i have two Samba 4.2.10+dfsg-0+deb8u3 Dabian 8.2 servers, connected to a 
2008 R2 AD over krb5/sssd.
Both servers have an identical configuration and are joined to the domain.
The shares on these two servers are perfectly accessible form any of my 
windows clients.
But i cannot mount the shares from one of the servers over mount -t cifs.
domain_client_validate: unable to validate password for user <user> in 
domain <mydomain> to Domain controller <AD server fqdn>. Error was 
NT_STATUS_ACCESS_DENIED.
After setting a more verbose loglevel and comparing the output of these 
two servers i noticed this:
[2016/09/07 14:58:32.674886,  8, pid=10468, effective(0, 0), real(0, 0)] 
../source3/libsmb/namequery.c:3320(get_sorted_dc_list)
   get_sorted_dc_list: attempting lookup for name <mydomain> (sitename A)
[2016/09/07 14:58:32.674929,  5, pid=10468, effective(0, 0), real(0, 0)] 
../source3/libsmb/namequery.c:209(saf_fetch)
   saf_fetch: failed to find server for "<mydomain>" domain
[2016/09/07 14:58:32.674944,  3, pid=10468, effective(0, 0), real(0, 0)] 
../source3/libsmb/namequery.c:3133(get_dc_list)
   get_dc_list: preferred server list: ", *"
  -------working server output below---------
[2016/09/06 10:33:20.209503,  8, pid=6856, effective(0, 0), real(0, 0)] 
../source3/libsmb/namequery.c:3320(get_sorted_dc_list)
   get_sorted_dc_list: attempting lookup for name <mydomain> (sitename B)
[2016/09/06 10:33:20.209522,  5, pid=6856, effective(0, 0), real(0, 0)] 
../source3/libsmb/namequery.c:212(saf_fetch)
   saf_fetch: Returning "<ad server>.<mydomain>" for
"<mydomain>" domain
[2016/09/06 10:33:20.209546,  3, pid=6856, effective(0, 0), real(0, 0)] 
../source3/libsmb/namequery.c:3133(get_dc_list)
   get_dc_list: preferred server list: "<ad server>.<mydomain>,
*"
The AD servers are resolvable and pingable for both servers, the servers 
have a connection to the AD and Kerberos and SSSD seem to work fine.
I can get a Kerberos ticket and getent passwd/group returns the correct 
information.
I have no idea anymore why one of the servers reports "saf_fetch: failed 
to find server for "<mydomain>" domain" when i try to mount
the share
over cifs from various linux distributions(Arch, CentOS, Debian, Ubuntu) 
clients.
smb.conf:
[global]
   workgroup = <MY DOMAIN>
   realm = <MY DOMAIN>.CORP
   security = ADS
   netbios name = <hostname>
#  password server = <ad server fqdn>
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = system keytab
   passdb backend = tdbsam
   map to guest = Bad User
         null passwords = Yes
         load printers = No
        hosts allow = <my networks>
         encrypt passwords = true
         client ntlmv2 auth = yes
         template homedir = /home/%U
         template shell = /bin/bash
# shutup CUPS
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
[projects]
        comment=Data
        path=/data
        guest ok = no
        valid users = @someusers
        force group = someusers
        browseable = yes
        read only = No
        create mask = 0660
        directory mask = 0770
        writable = yes
        available = yes

On Sat, 10 Sep 2016 10:49:48 +0200
eXe2001 via samba <samba at lists.samba.org> wrote:
> Hello,
> i have two Samba 4.2.10+dfsg-0+deb8u3 Dabian 8.2 servers, connected
> to a 2008 R2 AD over krb5/sssd.
> Both servers have an identical configuration and are joined to the
> domain. The shares on these two servers are perfectly accessible form
> any of my windows clients.
> But i cannot mount the shares from one of the servers over mount -t
> cifs. domain_client_validate: unable to validate password for user
> <user> in domain <mydomain> to Domain controller <AD server
fqdn>.
> Error was NT_STATUS_ACCESS_DENIED.
Seeing as how you are using sssd for authentication, I fail to see how
this could be a Samba problem, it may be, but I very much doubt it.

Try asking on the sssd-users mailing list.

Rowland