When using security=server authentication of clients using NTLMv2 (Vista) fails with "password server FOO rejected the password: NT_STATUS_LOGON_FAILURE".
I believe that this bug is closely related to bug 4365 (https://bugzilla.samba.org/show_bug.cgi?id=4365) which solves this for security=domain.
I was successful in fixing this bug by replacing all "user_info->domain" references in the auth/auth_server.c with "user_info->client_domain". However, I made this fix without really knowing what I do, so it might not be necessary to do the change in all three places in the code.
security=server vanished with samba 4, see release notes for details. closing this bug.