I'm sure I'm the only one who didn't know this, but I got snookered by Windows user properties and the "Pre-Windows 2000" name:
Trying to login as UNIXIZ\Steve gave a bad username or password, and it should have been obvious what the problem was, but it took a while.
Forever I've assumed that the "Pre Windows-2000" name applied only to networks with very old servers (NT4 and prior), but of course that's not the case: they're referring to the naming convention, not the servers. The DOMAIN\User notation is the old notation even though it's still widely used, and that name can be different from the user@domain notation.
The above screenshot shows a user who can login as firstname.lastname@example.org or UNIXWIZ\Steve Friedl, but not UNIXWIZ\Steve. The obvious and sensible solution is just to make sure the names match. Duh.