A test Samba server (domain member with ADS security) suffered a crash due to power failure, and after that its shared became inacessible: when Windows clients tried to access them, password dialog was shown and the correct password was not accepted.
Samba log showed the following:
[2009/10/08 13:22:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
Winbind log showed the following
[2009/10/08 13:13:45, 5] nsswitch/winbindd_user.c:winbindd_getpwnam(353) Could not parse domain user: lz
The problem was resolved by removing all *.tdb files in /var/lib/samba.
WARNING. This was a test server, so removing the files were not a problem. If it were a production server, removing windbindd_idmap.tdb would destroy the mapping of Windows and Unix users, and thus all file permissions on Samba shares would be screwed up. On a production server one would try to rescue at least windbindd_idmap.tdb.