I found during debug in all cases that I tested that the password.plaintext field of the auth_usersupplied_info struct is always NULL in source3/auth/auth_unix.c:check_unix_security(). The cause is that source3/auth/auth_ntlmssp.c:auth3_check_password() calls make_user_info_map hardcoded with NULL for the plaintext passowrd instead of passing on the user_info->password.plaintext that was passed into auth3_check_password. Changing the call to make_user_info_map to pass user_info->password.plaintext works around the issue in my testing, but I don't know if there is a reason that other code paths need to pass NULL instead.
*** This bug has been marked as a duplicate of bug 9705 ***