samba - May 2007 - 3.0.25: non-Kerberos authentication fails when security=ads?

I have several servers running Samba, all using security = ads mode.

After updating one of the servers to 3.0.25, non-Kerberos login
attempts now fail, although Kerberos logins work just fine.  E.g.:

$ smbclient -k -L //my-server
OS=[Unix] Server=[Samba 3.0.25-0.0]

        Sharename       Type      Comment
        ---------       ----      -------
        ...

$ smbclient -U username -L //www-dev-eval
Password: 
session setup failed: NT_STATUS_LOGON_FAILURE

If I look in the logs on my-server, this is what I see for the
non-Kerberos attempt:

[2007/05/15 12:47:10, 0] auth/auth_domain.c:domain_client_validate(257)
  domain_client_validate: unable to validate password for user username in
domain OURDOMAIN to Domain controller DC.AD.EXAMPLE.COM. Error was
NT_STATUS_NO_SUCH_USER.

This is bogus; username exists, because servers running Samba 3.0.23d
work just fine:

$ smbclient -k -L //other-server
OS=[Unix] Server=[Samba 3.0.23d-0.1]

        Sharename       Type      Comment
        ---------       ----      -------
        ...

$ smbclient -U username -L //other-server
Password: 
Domain=[OURDOMAIN] OS=[Unix] Server=[Samba 3.0.23d-0.1]

        Sharename       Type      Comment
        ---------       ----      -------
        ...

Looking at Bugzilla, I see many bug reports filed against 3.0.25, most
of which involve authentication issues.  I don't see a report for this
particular issue, though.

Is anyone else seeing this problem?

On 2007-05-15 at 13:43-04 James Ralston wrote:
> I have several servers running Samba, all using security = ads mode.
> After updating one of the servers to 3.0.25, non-Kerberos login
> attempts now fail, although Kerberos logins work just fine.
>From digging through other issues on Bugzilla, I discovered that if I
run winbind, the problems with non-Kerberos authentication failing go
away.

I tested winbind in several different configurations (e.g., local
mapping versus the rid backend), and the non-Kerberos authentication
worked regardless of winbind's specific configuration.

Is it the case that now one *must* run winbind in security=ads mode?
It certainly seems that way, but I didn't see any note to the effect
in the docs or the HOWTO...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Ralston wrote:
> Is it the case that now one *must* run winbind 
> in security=ads mode?
Nope.  Recommended but not required.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGTcI/IR7qMdg1EfYRAqMWAKDJPLnQ4bFbY90fzPRYcRZ4vncctwCgo7sc
eji3SIsiYtszyTLqxN7RSxY=fwxp
-----END PGP SIGNATURE-----