I saw a case where idmap failures caused an auth. failure like this. The authentication actually succeeded, but the idmap lookups need to build the local token failed, so the logon returned failure. Dtrace should show you that...