I have 4 samba servers, all integrated with active directory, and for
the most part, working great. The servers are running a mixed bag of
Red Hat and RH clone OS's (RHEL4, CentOS4, and FC4) I'm using the
"idmap_rid" to maintain some semblance of order and consistency between
all the servers as far as UID->SID mapping.

The issue I have been running into, is that occasionally one or two
user accounts can't access the samba shares. On further investigation,
wbinfo can get all normal info for the user (SID, SID>UID, UID>SID,
--user-sids, etc.) except the -r option. When I run wbinfo -r
DOMAIN+username, I get the response:
Could not get groups for user DOMAIN+username

I can "su - DOMAIN+username" without issue.

In the samba log for the users workstation, I get the following:

[2006/10/05 10:39:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
make_server_info_from_pw failed!

This can happen on any of the servers, seemingly randomly. Even when
the user It also doesn't happen often, about 1 user or so per week.
The only method I've discovered to fix it is to stop winbind and delete
the winbindd_cache.tdb and winbindd_idmap.tdb files. When I restart
winbind, everything is good to go again.

One item to note: The only consistency between the users this has
affected is that they are also members of groups from trusted domains.
My smb.conf has:
allow trusted domains = no
As this was directed in the samba documentatyion when you use the
idmap_rid functionality.

Any thoughts or suggestions are greatly appreciated.