Since you are getting your username and password from a CGI query, I suggest you use Data::Dumper to find out what is really being given to your script. Perhaps some encoding is being done that CGI is not catching.

You're probably aware that browsers frequently encode form fields before passing them to GET; some browsers do this (usually to a lesser extent) for POST requests, too. CGI modules typically un-encode them, but maybe something is being missed here?

Incidentally, I highly recommend CGI::Simple as a replacement for CGI: it drops in to most CGI-using scripts without any serious code modification, and it has worked much better for me in every case.

You may not be using eval, but it's possible that Authen::Smb::authen() is doing something odd with the values.

It's also possible that the system has set up policies that restrict the use of specific characters. (most directory systems do, so that you can set more restrictive character sets, because some of the systems that authenticate off of them may have problems with characters ... for instance, '#' and '+++' could get you into problems depending on how you're connecting to the system)

I've never used Authen::Smb, so I don't know if there's a way to tell from the error messages generated (if there are any -- you just said the infamous 'didn't work') if you can tell what type of error it actually was (something caused at the client side, or the server side) ... eg, does $authResult have any extra info in it?