Infrastructure Software

I've upgraded to Solaris 11 from 11 Express and am trying to join the system to an Active Directory domain. I first joined workgroup, then tried to rejoin the domain, at which time I get the following (names changed to protect the anonymous):

myuser@ganesh:~# smbadm join -u "DomainAdmin" lothlorien.domain.com
After joining lothlorien.domain.com the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Locating DC in lothlorien.domain.com ... this may take a minute ...
Joining lothlorien.domain.com ... this may take a minute ...
failed to join lothlorien.domain.com: UNSUCCESSFUL
Please refer to the system log for more information.

/var/adm/messages shows this:

Nov 11 00:46:17 ganesh smbd[641]: [ID 270243 daemon.error] smb_ads_update_dsattr: ldap_sasl_interactive_bind_s Local error
Nov 11 00:46:35 ganesh smbd[641]: [ID 702911 daemon.error] smbns_kpasswd: KPASSWD protocol exchange failed (Cannot contact any KDC for requested realm)
Nov 11 00:46:35 ganesh smbd[641]: [ID 702911 daemon.notice] Machine password update failed
Nov 11 00:46:35 ganesh smbd[641]: [ID 702911 daemon.error] unable to join lothlorien.domain.com (UNSUCCESSFUL)


I know for sure the system is locating the DC and trying to register itself - I can see the events in the Windows event log. Having deleted the previous computer account, if I watch the Computers node of the AD Users & Computers MMC snap-in, I can see the Solaris system appear briefly as disabled, then disappear a few seconds later (with corresponding events in the DC's Security event log).

I can't find any documentation specific to S11 (as opposed to SE11) that addresses what might be different (if anything) in the smb join protocols. I know by now that S11 can autogenerate your /etc/krb5/krb5.conf so the fact that I can delete/rename that file and it will reappear with valid information validates the fact that it does locate and connect to the (K)DC and get relevant config info, not to mention that I can type garbage for my domain password and the behavior is different so it can do kerberos authentication.

I think the key error here is the "ldap_sasl_interactive_bind_s Local error" but it's not enough information for me to determine causality. I've already gone through Google searches and implemented changes related to the NTLM levels and so forth, but unlike with SE11 which I did have working, these did not solve the issue.

I'm still trying to go through the S11 documentation including the End of Feature Notices for what's changed but I didn't see anything revelatory in the Interop guide. I know this could also be something that's in my AD/GP configuration on the Windows side (e.g. I've implemented a PKI and strengthened system authentication among certain domain members). Has anyone run into anything similar? Do you have S11 (as opposed to SE11) joined to your domain?