So, if I told you Mac clients are NOT able to do single sign on (can't log in at login page, just getting rejected/shaking thing), what would be your first thought to check?

Where: A school district with some Macs

What: A triangle setup with AD and OD, the Mac Server is running Snow Lep, hosts are mix of Leopard up to Mt. Lion.

I just started at this place, and the configuration was done long before I got here.
Sounds like the problem might be old too.

The OD is bound to the AD domain, everything's consistent NTP-time wise.