Cross-realm to W2K8 R2 cifs server?

[Bjørn Tore Sund]

We have separate MIT and AD domains with trust established between them. 
  I am authenticated with a user principal in the MIT domain I can 
access cifs resources on XP and 2K3 servers but not on a new 2K8r2 
server.  Using the same kinit command for the user and

    smbclient -k //server.uib.no/sharename

for the resources on various servers I get the appropriate cross-realm 
TGTs when connecting to the XP and 2K3 servers but not when connecting 
to the 2K8r2 server.  It simply fails, informing me that 
server$@MIT.REALM.NAME isn't found in the Kerberos database.

There is no explicit mapping for the XP and 2K3 server in krb5.conf, 
adding a mapping for the 2K8 server to the AD domain there makes no 
difference.  Within the same AD domain, Kerberos authentication succeeds 
to access the same resource.

I am assuming we're missing a setting on the 2K8 server for announcing 
which realm to get a TGT from.  Any pointers to which setting that would be?

-BT
-- 
Bjørn Tore Sund    Phone:  +47 555-84894             When in fear
Telecom manager    Mobile: +47 918 68075             and when in doubt:
IT Department      Email:   bjorn.sund at adm.uib.no    Run in circles,
Univ. of Bergen    Support: https://bs.uib.no/       Scream and shout.