The SAM logon flow for a user with umlaut characters in the username fails with NT_STATUS_WRONG_PASSWORD even though the proper password is supplied. I had observed this scenario working fine with Samba version 3.6.9. But seems to be broken in 4.1.0 and above. This was tested in 4.1.0 and 4.1.3. This happens when the smb.conf is configured to use ntlmv2 auth. I have pasted part of the smb.conf file below. The winbindd pipe command used is WINBINDD_PAM_AUTH and the flags passed are WBFLAG_PAM_INFO3_TEXT|WBFLAG_PAM_USER_SESSION_KEY|WBFLAG_PAM_LMKEY. Also tested with a standalone samba client running on Ubuntu using wbinfo --ntlmv2 and observed similar behavior. [global] workgroup = ASGTITAN realm = ASGTITAN.COM netbios name = TESTING security = ads client ldap sasl wrapping = sign client schannel = yes winbind use default domain = yes name resolve order = host bcast allow trusted domains = yes client ntlmv2 auth = yes kerberos method = dedicated keytab dedicated keytab file = /etc/5.keytab log level = 10 debug timestamp = no machine password timeout = 0 It works with kerberos based authentication and also with samlogon when client ntlmv2 auth is no. Here is a snippet of samba logs for this scenario. ======================================================= process_request: Handling async request 25963:PAM_AUTH [25963]: pam auth ASGTITAN\ακαδημαϊκός child daemon request 13 child_process_request: request fn PAM_AUTH [26464]: dual pam auth ASGTITAN\ακαδημαϊκός winbindd_dual_pam_auth: domain: ASGTITAN last was online winbindd_dual_pam_auth_samlogon netr_LogonSamLogonEx: struct netr_LogonSamLogonEx in: struct netr_LogonSamLogonEx server_name : * server_name : '\\parent1.asgtitan.com' computer_name : * computer_name : 'VASPHL0LHWKZL8' logon_level : NetlogonNetworkInformation (2) logon : * logon : union netr_LogonLevel(case 2) network : * network: struct netr_NetworkInfo identity_info: struct netr_IdentityInfo domain_name: struct lsa_String length : 0x0010 (16) size : 0x0010 (16) string : * string : 'ASGTITAN' parameter_control : 0x00000000 (0) 0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0: MSV1_0_UPDATE_LOGON_STATISTICS 0: MSV1_0_RETURN_USER_PARAMETERS 0: MSV1_0_DONT_TRY_GUEST_ACCOUNT 0: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0: MSV1_0_RETURN_PASSWORD_EXPIRY 0: MSV1_0_USE_CLIENT_CHALLENGE 0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY 0: MSV1_0_RETURN_PROFILE_PATH 0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY 0: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0: MSV1_0_DISABLE_PERSONAL_FALLBACK 0: MSV1_0_ALLOW_FORCE_GUEST 0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED 0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY 0: MSV1_0_ALLOW_MSVCHAPV2 0: MSV1_0_S4U2SELF 0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U 0: MSV1_0_SUBAUTHENTICATION_DLL_EX logon_id_low : 0x0000dead (57005) logon_id_high : 0x0000beef (48879) account_name: struct lsa_String length : 0x0016 (22) size : 0x0016 (22) string : * string : 'ακαδημαϊκός' workstation: struct lsa_String length : 0x0020 (32) size : 0x0020 (32) string : * string : '\\VASPHL0LHWKZL8' challenge : befec25d10905ebd nt: struct netr_ChallengeResponse length : 0x0064 (100) size : 0x0064 (100) data : * data : f2134918dee81a70002f66388aa2dfba010100000000000000eff5ab6263cf01f62c2f3a73d99736000000000200100041005300470054004900540041004e0001001c00560041005300500048004c0030004c 00480057004b005a004c00380000000000 lm: struct netr_ChallengeResponse length : 0x0018 (24) size : 0x0018 (24) data : * data : df78e58801b1f07414bc33f8326d704d92d900527a8bb0c5 validation_level : 0x0006 (6) flags : * flags : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0038 (56) call_id : 0x00000010 (16) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x000001bc (444) context_id : 0x0000 (0) opnum : 0x0027 (39) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 &r: struct dcerpc_auth auth_type : DCERPC_AUTH_TYPE_SCHANNEL (68) auth_level : DCERPC_AUTH_LEVEL_PRIVACY (6) auth_pad_length : 0x04 (4) auth_reserved : 0x00 (0) auth_context_id : 0x00000001 (1) credentials : DATA_BLOB length=0 add_schannel_auth_footer: SCHANNEL seq_num=2 &r: struct NL_AUTH_SHA2_SIGNATURE SignatureAlgorithm : NL_SIGN_HMAC_SHA256 (0x13) SealAlgorithm : NL_SEAL_AES128 (0x1A) Pad : 0xffff (65535) Flags : 0x0000 (0) SequenceNumber : 4e628e233411e24c Checksum : 2bb367ec8adc4f816d8b8cd5103a98ac00000000000000000000000000000000 Confounder : 0000000000000000 rpc_api_pipe: host parent1.asgtitan.com num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=536, this_data=536, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 smb_signing_md5: sequence number 20 smb_signing_sign_pdu: sent SMB signature of [0000] 74 12 F4 6E 5B BE F0 BA t..n[... smb_signing_md5: sequence number 21 smb_signing_check_pdu: seq 21: got good SMB signature of [0000] B6 1A 70 81 C5 01 A2 0E ..p..... rpc_read_send: data_to_read: 104 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0078 (120) auth_length : 0x0038 (56) call_id : 0x00000010 (16) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=96 [0000] 08 D0 1D 47 9C C4 8D 03 23 F7 4B 93 D6 65 A4 B3 ...G.... #.K..e.. [0010] 86 1B 2D B8 C8 56 65 51 8A 51 94 10 63 87 FE 6F ..-..VeQ .Q..c..o [0020] 44 06 0C 00 01 00 00 00 13 00 1A 00 FF FF 00 00 D....... ........ [0030] 30 18 BF CF 59 60 AD 2B D9 8F F9 07 B2 F4 24 4C 0...Y`.+ ......$L [0040] 18 D7 F8 21 F4 90 3C 30 00 00 00 00 00 00 00 00 ...!..<0 ........ [0050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 ........ ........ Requested Privacy. ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12 SCHANNEL auth Got pdu len 120, data_len 20, ss_len 12 rpc_api_pipe: got frag len of 120 at offset 0: NT_STATUS_OK rpc_api_pipe: host parent1.asgtitan.com returned 20 bytes. netr_LogonSamLogonEx: struct netr_LogonSamLogonEx out: struct netr_LogonSamLogonEx validation : * validation : union netr_Validation(case 6) sam6 : NULL authoritative : * authoritative : 0x01 (1) flags : * flags : 0x00000000 (0) result : NT_STATUS_WRONG_PASSWORD winbindd_dual_pam_auth_samlogon failed: NT_STATUS_WRONG_PASSWORD Plain-text authentication for user ASGTITAN\ακαδημαϊκός returned NT_STATUS_WRONG_PASSWORD (PAM: 4) Finished processing child request 13 Writing 3496 bytes to parent wb_request_done[25963:PAM_AUTH]: NT_STATUS_WRONG_PASSWORD winbind_client_response_written[25963:PAM_AUTH]: delivered response to client closing socket 23, client exited ======================================================= Regards, Deepesh