cross-domain ticket issuing problem

[jiri sasek - Sun Microsystems - Prague Czech Republic]

Hi samba experts

I am running the Solaris 10 with the default samba (samba-3.0.28; MIT 
Kerberos; NS ldap 5.2 C-API) having the problem in the "2 or more 
domains" environment having the following assumptions:

1 -
computer "a" have the realm "A" as default where
computer "b" have the realm "B" as default
where the cross-domain trust is issued betweed the Active Directory 
domains representing the "A" and "B" realms.

2 -
There is a user "u" in realm "B"

3 -
Using the "ktpass" utility the key-table is generated for the computer 
"a" and install on the computer "a" using the "ktutil" utility

4 -
TGT is issued for user "u" performing the: kinit u at B


Currently:
the user "u" can request a service from the "a" computer so the 
cross-realm ticket and the service ticket appears in the krb5 cache

Problem:
When the samba is joined performing the 'net ads join' command on the 
"a" computer the service-ticket is not issued for "u" requesting the 
service from "a"

Question:
  - What is 'join ads net' doing the service-ticket is not issued for 
the service running on this computer?

Note:
Problem disappear after leaving the domain by 'net ads leave'.



Reversing this problem the samba winbind running on "a" can not retrieve 
the user info from the domain "B" so the idmap can not map the users 
from more than one domain for me. Is there anybody meeting the same problem?


Thank you in advance for suggestions helps me to fix this problem

Regards

Jiri