GSSAPI FAILED doing gss_unwrap: No error

I'm getting the following "errors" in my DirectoryService.debug.log on several Macs in my university domain. [quote]GSSAPI FAILED doing gss_unwrap: No error Secure BIND Session FAILED with server [server name]:389[/quote] We just added some domain controllers and I'm seeing the errors for two of their host names; I haven't yet been able to find out if they are different from the old DCs in any substantial way (such as policy). Both are listed in the ActiveDirectory.plist for this domain on the local systems. I have unbound and rebound one of the computers and the error persists, so that would seem to rule out a computer object password problem. I have inconsistent results logging in. Well over half of the time, I can't log in with my account on one of these computers, and other users have similar results. If I [i]can[/i] log in, other things go haywire … I can't use `sudo` because it can't find my UID (rather than my username) in the passwd file, `id` returns only numeric values, authenticating at the screen saver fails, or whatever. The inability to authenticate in these ways is unsurprising to me if I can't get through loginwindow most of the time. I haven't seen this error after some Googling. I can, however, kinit as a user fine, so Kerberos appears to be working. Lookups via ldapsearch (as per the WWDC 2006 Advanced Troubleshooting session slides) fail with a binding error, `dscl read` of my username fails, and I can't simulate a successful login with `dirt,` either. Both forward and reverse DNS results seem to check out fine for all known domain controllers, not just the two listed in ActiveDirectory.plist. I'm going to try to specify one of the old DCs to see if that makes a difference. Any ideas? To me, this sounds as if there is some sort of new policy on the new domain controllers, but I no longer have a reliably working client system to see what how secure binding used to work (if it did).