My only remaining guess here is that Samba / AD isn't permitting ntlm / mschap authentication.
I've narrowed down the authenticating DC, turned up logging and found this: ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user tim.odriscoll ntlm_password_check: NEITHER LanMan nor NT password supplied for user tim.odriscoll I've got this on all my DC's /etc/samba/smb.conf files: ntlm auth = mschapv2-and-ntlmv2-only So, am I correct in thinking that the ntlm_auth client is not using ntlmv2? My ntlm_auth debug in FR is (using --allow-mschapv2): (21) authenticate { (21) mschap: Client is using MS-CHAPv1 with NT-Password (21) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --allow-mschapv2 --domain=lambrook --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (21) mschap: EXPAND --username=%{%{mschap:User-Name}:-00} (21) mschap: --> --username=tim.odriscoll (21) mschap: mschap1: 39 (21) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (21) mschap: --> --challenge=3985fc5b9031d694 (21) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (21) mschap: --> --nt-response=32f3fe95ffa414578c60e77fca9f28af183055a5f46f262d Perhaps '--allow-mschapv2' doesn't actually mean 'use-mschapv2', only allow it if the client sends it to FR? Thank you, Tim