AD Auth MAC Server

Hi all, Lots of posts on this, but i'll give it a shot - We are trying to get smb shares from a MAC OS X (10.4) server to auth via AD. We can get it to work, it just won't come back after reboot. I can successfully bind to the AD domain - and all AFP works fine, but any SMB attempt results in this in the Samba logs: [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/libads/kerberos_verify.c:ads_secrets_verify_ticket(201) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/libads/kerberos_verify.c:ads_verify_ticket(313) ads_verify_ticket: krb5_rd_req with auth failed (Unknown Error Code: 0) [2007/02/15 10:20:46, 1] /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(184) Failed to verify incoming ticket! [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/error.c:error_packet(105) error string = No such file or directory [2007/02/15 10:20:46, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/error.c:error_packet(129) error packet at /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c(185) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE The first part of this I want to lock down is this error - seen on samba startup [2007/02/15 10:19:26, 5] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_try_connect(85) ads_try_connect: trying ldap server '172.17.17.110' port 389 [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_connect(247) Connected to LDAP server 172.17.17.110 [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_server_info(2432) got ldap server name earth@CORP.MYDOMAIN.COM, using bind path: dc=CORP,dc=MYDOMAIN,dc=COM [2007/02/15 10:19:26, 4] /SourceCache/samba/samba-100.5/samba/source/libads/ldap.c:ads_server_info(2438) time offset is 5 seconds [2007/02/15 10:19:26, 4] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_bind(447) Found SASL mechanism GSS-SPNEGO [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(204) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libads/sasl.c:ads_sasl_spnego_bind(211) ads_sasl_spnego_bind: got server principal name =earth$@CORP.MYDOMAIN.COM [2007/02/15 10:19:26, 3] /SourceCache/samba/samba-100.5/samba/source/libsmb/clikrb5.c:ads_krb5_mk_req(392) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/02/15 10:19:27, 0] /SourceCache/samba/samba-100.5/samba/source/libads/kerberos.c:ads_kinit_password(146) [b]kerberos_kinit_password host/NEMESIS@CORP.MYDOMAIN.COM failed: Decrypt integrity check failed[/b] [2007/02/15 10:19:27, 3] /SourceCache/samba/samba-100.5/samba/source/printing/nt_printing.c:check_published_printers(2857) ads_connect failed: Decrypt integrity check failed [2007/02/15 10:19:27, 0] /SourceCache/samba/samba-100.5/samba/source/printing/nt_printing.c:nt_printing_init(386) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2007/02/15 10:19:27, 5] /SourceCache/samba/samba-100.5/samba/source/smbd/connection.c:claim_connection(170) claiming 0 [2007/02/15 10:19:27, 3] /SourceCache/samba/samba-100.5/samba/source/printing/printing.c:start_background_queue(1224) start_background_queue: Starting background LPQ thread net ads status and wbinfo -g and -u work great, but samba denies all logins from AD with the Failed to verify incoming ticket Any thoughts appreciated. EB ebrooathealthydirectionsdotcom