We've also seen this issue. Network accounts (LDAPv3) will get to the password entry screen, but behave as though the password is incorrect.
When I use an account that is local to the server, I can login fine. (Or when we use AFP, it works fine.)
This is from 10.10.5 clients to 10.10.5 server with Server.app 4.1.5, as in the original post.
I've tried:
sudo kill -SIGHUP <pid_of_smbd>
No change.
sudo kill -SIGTERM <pid_of_smbd>
No change.
sudo serveradmin stop smb && sudo serveradmin start smb
No change.
Here's what the server spews to log when we try a network user login:
11/25/15 2:19:25.676 PM digest-service[96515]: label: default
11/25/15 2:19:25.676 PM digest-service[96515]: dbname: od:/Local/Default
11/25/15 2:19:25.676 PM digest-service[96515]: mkey_file: /var/db/krb5kdc/m-key
11/25/15 2:19:25.676 PM digest-service[96515]: acl_file: /var/db/krb5kdc/kadmind.acl
11/25/15 2:19:25.678 PM digest-service[96515]: digest-request: uid=0
11/25/15 2:19:25.680 PM digest-service[96515]: digest-request: netr probe 0
11/25/15 2:19:25.681 PM digest-service[96515]: digest-request: init request
11/25/15 2:19:25.712 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:19:25.713 PM digest-service[96515]: digest-request: uid=0
11/25/15 2:19:25.713 PM digest-service[96515]: digest-request: init request
11/25/15 2:19:25.744 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:19:26.227 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc
11/25/15 2:19:26.227 PM kdc[108]: Asked for LKDC, but there is none
11/25/15 2:19:26.236 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf
11/25/15 2:19:41.261 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc
11/25/15 2:19:41.262 PM kdc[108]: Asked for LKDC, but there is none
11/25/15 2:19:41.271 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf
11/25/15 2:19:41.272 PM digest-service[96515]: digest-request: uid=0
11/25/15 2:19:41.272 PM digest-service[96515]: digest-request: init request
11/25/15 2:19:41.304 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:19:41.314 PM digest-service[96515]: digest-request: uid=0
11/25/15 2:19:41.314 PM digest-service[96515]: digest-request: init request
11/25/15 2:19:41.345 PM digest-service[96515]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:19:41.348 PM digest-service[96515]: digest-request: uid=0
11/25/15 2:19:41.403 PM digest-service[96515]: digest-request od: ok user=PIP\david proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE
[the previous 8 lines repeat]
Here's the same spew for a local user:
11/25/15 2:22:19.239 PM digest-service[96566]: label: default
11/25/15 2:22:19.240 PM digest-service[96566]: dbname: od:/Local/Default
11/25/15 2:22:19.240 PM digest-service[96566]: mkey_file: /var/db/krb5kdc/m-key
11/25/15 2:22:19.240 PM digest-service[96566]: acl_file: /var/db/krb5kdc/kadmind.acl
11/25/15 2:22:19.242 PM digest-service[96566]: digest-request: uid=0
11/25/15 2:22:19.244 PM digest-service[96566]: digest-request: netr probe 0
11/25/15 2:22:19.245 PM digest-service[96566]: digest-request: init request
11/25/15 2:22:19.278 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:22:19.288 PM digest-service[96566]: digest-request: uid=0
11/25/15 2:22:19.288 PM digest-service[96566]: digest-request: init request
11/25/15 2:22:19.319 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:22:19.728 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc
11/25/15 2:22:19.728 PM kdc[108]: Asked for LKDC, but there is none
11/25/15 2:22:19.737 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf
11/25/15 2:22:32.481 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc
11/25/15 2:22:32.481 PM kdc[108]: Asked for LKDC, but there is none
11/25/15 2:22:32.488 PM digest-service[96566]: digest-request: uid=0
11/25/15 2:22:32.488 PM digest-service[96566]: digest-request: init request
11/25/15 2:22:32.490 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf
11/25/15 2:22:32.520 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:22:32.529 PM digest-service[96566]: digest-request: uid=0
11/25/15 2:22:32.529 PM digest-service[96566]: digest-request: init request
11/25/15 2:22:32.560 PM digest-service[96566]: digest-request: init return domain: PIP server: PIP indomain was: <NULL>
11/25/15 2:22:32.563 PM digest-service[96566]: digest-request: uid=0
11/25/15 2:22:32.565 PM digest-service[96566]: digest-request: od failed with 2 proto=ntlmv2
11/25/15 2:22:32.565 PM digest-service[96566]: digest-request: user=PIP\metroeastserver
11/25/15 2:22:32.572 PM digest-service[96566]: digest-request kdc: ok user=PIP\metroeastserver proto=ntlmv2 flags: ENC_128, NEG_VERSION, NEG_TARGET_INFO, NEG_NTLM, NEG_TARGET, NEG_UNICODE
Here's AFP, which works:
11/25/15 2:37:20.779 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc
11/25/15 2:37:20.779 PM kdc[108]: Asked for LKDC, but there is none
11/25/15 2:37:20.787 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf
11/25/15 2:37:38.802 PM kdc[108]: Got a canonicalize request for a LKDC realm from local-ipc
11/25/15 2:37:38.802 PM kdc[108]: Asked for LKDC, but there is none
11/25/15 2:37:38.811 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf
11/25/15 2:37:38.833 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:62096 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG
11/25/15 2:37:38.836 PM sandboxd[410]: ([108]) kdc(108) deny file-read-data /private/etc/krb5.conf
11/25/15 2:37:38.843 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:62096 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG
11/25/15 2:37:38.844 PM kdc[108]: Client sent patypes: REQ-ENC-PA-REP
11/25/15 2:37:38.844 PM kdc[108]: user has no SRP keys
11/25/15 2:37:38.844 PM kdc[108]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
11/25/15 2:37:38.848 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:56638 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG
11/25/15 2:37:38.857 PM kdc[108]: AS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:56638 for krbtgt/LES.METROEAST.ORG@LES.METROEAST.ORG
11/25/15 2:37:38.858 PM kdc[108]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
11/25/15 2:37:38.858 PM kdc[108]: ENC-TS pre-authentication succeeded -- davidelkinbram@LES.METROEAST.ORG
11/25/15 2:37:38.916 PM kdc[108]: DSUpdateLoginStatus: Unable to synchronize login time for davidelkinbram: 77009
11/25/15 2:37:38.928 PM kdc[108]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
11/25/15 2:37:38.928 PM kdc[108]: Requested flags: forwardable
11/25/15 2:37:38.937 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:54529 for host/pip.metroeast.org@LES.METROEAST.ORG [canonicalize, forwardable]
11/25/15 2:37:38.959 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:60502 for host/pip.metroeast.org@LES.METROEAST.ORG [forwardable]
11/25/15 2:37:38.980 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:51550 for ldap/pip.metroeast.org@LES.METROEAST.ORG [canonicalize, forwardable]
11/25/15 2:37:39.000 PM kdc[108]: TGS-REQ davidelkinbram@LES.METROEAST.ORG from 127.0.0.1:60575 for ldap/pip.metroeast.org@LES.METROEAST.ORG [forwardable]