Our AD team recently upgraded their servers from Windows 2003 to 2008 and broke the Samba 3.0.34 installation we had been using for ntlm_auth. We couldn't get this version of Samba to join the upgraded servers, so we were forced to look into patching Samba 3.5.4 (latest) to fix the issue where ntlm_auth returns an invalid NT_KEY. I believe this issue has been open for about 2 years and hasn't moved much in the Samba bug list: https://bugzilla.samba.org/show_bug.cgi?id=6563
A committer named Volker Lendecke suggested that the source was SamLogonEx... by using SamLogon instead, you can get around the issue. This seems to stem from the SamLogonEx function using session keys versus credentials... but I'd like to ask a windows/samba expert for a better opinion. I've attached a patch to the bug report above which adds the --force-samlogon option to winbind. If winbind is started without this flag, it operates "normally" and we get an invalid NT_KEY returned. If it's started with the flag, the issue is resolved. We've been running this in production and haven't run into any issues with a few thousand 802.1x users. I hope this helps a few people who have been stuck in Samba purgatory. Rob Colantuoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
