We just encountered a similar issue on CDOT 8.3.2 to do with SMB1. SMB1 was disabled on the DC's a while ago, suddenly last night - netapp lookups failed.
On our 9.1 filer, switching to smb2 only fixed issue, but not possible on our 8.3.2 filer.
reproducable:
cluster::*> diag sec authentication translate -node NodeName -vserver VserverName -win-name AD\username
[ 1 ms] Successfully connected to x.x.x.x:445 using TCP
[ 12] Successfully authenticated with DC XXXXX
[ 23] Unable to connect to LSA service on XXXX
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 90] No servers available for MS_LSA, vserver: 8, domain:
yyyyy.
**[ 90] FAILURE: Unable to make a connection (LSA:YYYY),
** result: 6940
[ 91] Could not find Windows name 'AD\username'
[ 91] CIFS user lookup failed
we dug further and it appears it was a symantec network threat protection block (installed on our DC's) due to definition update on July 21 2017:
