aah, the nightmare that is dsfw...

I'm sure something changed recently, but not sure exactly what to do about it. Until this week, we had no difficulty joining workstations to the dsfw domain.

Now when trying to join new Win 7 workstations to the domain, they get an error pop-up:
Code:
  The following error occurred attempting to join the domain "aaaa.bbb.ccc":
   Logon failure:  unknown user name or bad password.
Of course, we're certain that the username/password being used are in fact valid, since these credentials can be used to authenticate on a workstation that is already joined to the domain.

On the dsfw server, concurrent with the error pop-up on windows, the following is logged in /var/log/messages:

Code:
Dec  7 15:25:14 bbbb-dsfw1 ndsd[4255]: [SECURITY] Failed to acquire acceptor credentials (reason: No principal in keytab matches desired name)
Dec  7 15:25:14 bbbb-dsfw1 ndsd[4255]: [SECURITY] Failed to acquire acceptor credentials (reason: No principal in keytab matches desired name)
google/forum/tid searches have been less than helpful identifying the cause/solution for this.

yes, the link exists /var/opt/novell/novell/xad/ds/krb5kdc/krb5.keytab to /etc/krb5.keytab

tried to follow steps in TID7004481, although didn't have exact error messages. But because there was work done recently in iManager on universal password policy (enabling nfap/afp). However, trying to run the script provided in the TID provides another undocumented error which I suspect is another symptom of the same problem:
Code:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
Ok, so which server wasn't found, and where is the Kerberos database, and how do I fix this?

iMonitor on the dsfw server, dstrace for ldap during a join attempt gives:
Code:
13:34:22 41E16940 LDAP: New cleartext connection 0xdbd4d00 from 192.168.52.22:49219, monitor = 0x4806c940, index = 48
13:34:22 4F59B940 LDAP: DoBind on connection 0xdbd4d00
13:34:22 4F59B940 LDAP: Bind name:NULL, version:3, authentication:GSS-SPNEGO
13:34:22 4F59B940 LDAP: Failed to authenticate full context on connection 0xdbd4d00, err = -1647 (0xfffffffffffff991)
13:34:22 4F59B940 LDAP: Sending operation result 49:"":"" to connection 0xdbd4d00
...which is an NMAS error, "0xFFFFF991 NMAS_E_AUTH_FAILURE The creation of eDirectoryTM background authentication materials failed." ... but unclear is this the admin user with the problem or the new machine account, or something else.

Any help/suggestions greatly appreciated!