[Samba] Opensolaris-ish joins but does not seem to be valid

[Mike Ray]

We have a product that is similar to Opensolaris. It joins to the domain (Samba
version 4.7.0) without error and I can verify that a computer object is created
in the domain for it.

However, the command "getent passwd" which I would expect to return a list of
all domain users, only returns a list of local users.

I am confident I do not have a misconfigured file because if I get a kerberos
ticket as the Administrator (i.e. kinit -UAdministrator) and then issue "getent
passwd", the list returns as I would expect.

The host is populated with a keytab after joining to the domain and it appears
to have good entries: "host/hostname.example.com at EXAMPLE.COM", etc. And when I
do a "klist" with no prior kinit, it says it says the default principal is
"host/hostname at EXAMPLE.COM" which is listed in the keytab.

Since I am on 4.7.0, I've also turned on the authentication auditing and I can
see the authentication attempt when I issue "getent passwd". But instead of
being host specific, it registers the user as [NT AUTHORITY]\[ANONYMOUS LOGON].

There is an additional setup we have to run for this host, setting up directory
based mappings for idmap to resolve UIDs
(http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
That command registers as the host authority in the DC logs, i.e.
"[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the process returns
as "sasl/GSSAPI bind" error. As above, if I do a kinit as Administrator
beforehand, the command succeeds successfully. 

It seems like something is wrong with the computer account, but it's not like I
can set the computer accounts password and manually trying kiniting as it. Any
suggestions about what might be wrong or how to further troubleshoot?

Mike Ray