samba - Apr 2013 - Bad password when using "map untrusted to domain"

Greetings samba list,

I'm running into an issue when attempting to use "map unknown to
domain" on a samba servers bound to my AD domain.  When a client maps a
share and is not part of the domain, the domain is properly mapped for the user
(according to the logs), but the domain controllers report that the password is
wrong.  I've copied my password out of notepad and pasted it to make sure
it's correct.  Changing the username to AD\$user and pasting the password
works without issue.

Some relevant logs:

cnc-ciw:mapdomainlogs ghuntress$ grep -ri ghuntress *
log.171.66.69.67:              UserName                 : 'ghuntress'
log.171.66.69.67:  Got user=[ghuntress] domain=[CNC-PC] workstation=[CNC-PC]
len1=24 len2=212
log.cnc-pc:  Mapping user [CNC-PC]\[ghuntress] from workstation [CNC-PC]
log.cnc-pc:  Mapped domain from [CNC-PC] to [AD] for user [ghuntress] from
workstation [CNC-PC]
log.cnc-pc:  attempting to make a user_info for ghuntress (ghuntress)
log.cnc-pc:  making strings for ghuntress's user_info struct
log.cnc-pc:  making blobs for ghuntress's user_info struct
log.cnc-pc:  made a user_info for ghuntress (ghuntress)
log.cnc-pc:  check_ntlm_password:  Checking password for unmapped user
[CNC-PC]\[ghuntress]@[CNC-PC] with the new password interface
log.cnc-pc:  check_ntlm_password:  mapped user is: [AD]\[ghuntress]@[CNC-PC]
log.cnc-pc:  Check auth for: [ghuntress]
log.cnc-pc:  Check auth for: [ghuntress]
log.cnc-pc:  Check auth for: [ghuntress]
log.cnc-pc:  check_ntlm_password: winbind authentication for user [ghuntress]
FAILED with error NT_STATUS_WRONG_PASSWORD
log.cnc-pc:  check_ntlm_password:  Authentication for user [ghuntress] ->
[ghuntress] FAILED with error NT_STATUS_WRONG_PASSWORD
log.wb-AD:  [ 2546]: pam auth crap domain: AD user: ghuntress
log.wb-AD:                                      string                   :
'ghuntress'
log.wb-AD:  NTLM CRAP authentication for user [AD]\[ghuntress] returned
NT_STATUS_WRONG_PASSWORD (PAM: 7)
log.winbindd:  [ 2572]: pam auth crap domain: [AD] user: ghuntress


I've tried with Samba 3.6.9 on CentOS 6 and Samba 4.0.4 on Fedora 18, same
behavior.  I'm beginning to think that either I'm completely missing
something in my smb.conf file, or there must be a group policy in AD that
somehow prevents the "map untrusted to domain" capability from
working.  FWIW, winbind authentication without a domain in the username does
work.


My smb.conf is below:

[global]

# ----------------------- Network Related Options -------------------------
	workgroup = AD

# --------------------------- Logging Options -----------------------------
	log file = /var/log/samba/log.%m
	max log size = 500

# ----------------------- Domain Members Options --------------------------
	security = ads
	realm = ad.ciw.edu

	idmap config * : range = 16777216-33554431
	idmap config * : backend = tdb
	idmap config AD : backend = rid
	idmap config AD : range = 1000-999999
	idmap config AD : base_rid = 0
	
	template shell = /bin/false
	winbind use default domain = true
	winbind offline logon = false
	winbind enum users = yes
	winbind enum groups = yes

	map untrusted to domain = yes

# --------------------------- Printing Options -----------------------------
	load printers = no
	printcap name = /dev/null
	printing = bsd
	show add printer wizard = no
	disable spoolss = yes

# --------------------------- Filesystem Options ---------------------------
	map archive = no
	map hidden = no
	map read only = no
	map system = no
	store dos attributes = yes
	
	hide dot files = yes
	hide files =
/Thumbs.db/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/
	veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/



-Garret
--
Garret W. Huntress
Information Systems Manager

Department of Plant Biology
Department of Global Ecology
Carnegie Institution for Science
260 Panama St.
Stanford, CA 94305

Email: ghuntress at ciw.edu
Phone: 650-739-4377


Save a tree!  Don't print me!