Winbind doesn't authenticate requests that prepend a not-existent domain to the username when the machine is joined into an AD domain. Users that are logged in locally or into another domain with the same username and password are not identified by ntlm_auth unless they specifically enter their usernames as AD_DOMAIN\USERNAME. This breaks transparent ntlm authentication in squid and apache. * "map untrusted to domain" doesn't make a difference - it only affects smbd. * "security = domain" or "security = ads" against an AD domain doesn't make a difference. * "security = domain" against a Samba 3 domain works. Steps to reproduce: 1. Setup a minimal AD domain member configuration. [global] workgroup = UNI-RUSE realm = UNI-RUSE.BG security = ADS wins server = 172.16.0.6, 172.16.0.10 template homedir = /dev/null template shell = /sbin/nologin idmap config * : range = 1000000-1999999 idmap config * : backend = tdb 2. net ads join 3. /etc/init.d/winbind start Expected result: # wbinfo -a fgdgdgd\\dstoykov%password plaintext password authentication succeeded challenge/response password authentication succeeded Actual result: # wbinfo -a fgdgdgd\\dstoykov%password plaintext password authentication failed Could not authenticate user fgdgdgd\dstoykov with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc0000064) error message was: No such user Could not authenticate user fgdgdgd\dstoykov with challenge/response # wbinfo -i fgdgdgd\\dstoykov failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user fgdgdgd\dstoykov # wbinfo -a uni-ruse\\dstoykov%password plaintext password authentication succeeded challenge/response password authentication succeeded # wbinfo -i uni-ruse\\dstoykov UNI-RUSE\dstoykov:*:1000000:1000000::/dev/null:/sbin/nologin Result with security=domain, AD domain /* Same as above */ Result with security=domain, Samba 3.6 domain controller # wbinfo -a fgdgdgd\\dstoykov%password plaintext password authentication succeeded challenge/response password authentication succeeded # wbinfo -i fgdgdgd\\dstoykov UCCD\dstoykov:*:1000000:1000000::/dev/null:/sbin/nologin
changed version as the issue still exists in 4.1
I don't think that happens with current releases. Please reopen if it's not fixed.