ntlm_auth --helper-protocol=ntlmssp-client-1 doesn't use a forced password as first entry anymore. Instead it will ask for one after recieving the TT string. After the PW was entered, ntlm_auth returns OK\nAF <base64 blob>. This also breaks with the old behaviour, as ntlm_authv3 used to ask for a password after a YR and replied with a single line of OK. You had to send a new YR after that.
This also happens for the gss-spnego-client mode, which is hardly surprising, the way the code looks.
Now fixed in SVN. We now accept a leading PW, and remember it.