I am having a problem with Winbind and kerberos: OS: Solaris8 Samba: 3.0.7 MIT Kerberos: 1.3.5 OpenLDAP: 2.2.17 Windows: Active Directory on Windows Server 2003 I have Samba compiled with openldap, kerberos and PAM support and everything is working fine as far as access. The problem is that when I login to the Solaris system using SSH and I check the security logs on the Windows domain controller performing the authentication I see that kerberos is not being used. Instead, MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 is used. This is the event log related to this logon event: ======================================Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: <Windows username> Source Workstation: \\<hostname> Error Code: 0x0 ====================================== Additionally, the event just prior to this one every time is this: ======================================Pre-authentication failed: User Name: <hostname>$ User ID: <domain>\<hostname>$ Service Name: krbtgt/<kerberos realm> Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: <IP Address> ====================================== SMB.CONF ====================================== workgroup = <upper case netbios domain name> netbios name = <hostname> winbind separator = + winbind use default domain = yes winbind trusted domains only = yes security = ads encrypt passwords = yes realm = <upper case realm name> idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes log file = /local/samba/log/log.%m log level = 10 max log size = 5000 ====================================== PAM.CONF ======================================login auth required /usr/lib/security/pam_winbind.so login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/pam_winbind.so rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_auth.so.1 # dtlogin auth requisite pam_authtok_get.so.1 dtlogin auth required pam_dhkeys.so.1 dtlogin auth required pam_unix_auth.so.1 # other auth sufficient /usr/lib/security/pam_winbind.so other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_auth.so.1 login account requisite pam_roles.so.1 login account required pam_projects.so.1 login account required pam_unix_account.so.1 dtlogin account requisite pam_roles.so.1 dtlogin account required pam_projects.so.1 dtlogin account required pam_unix_account.so.1 other account sufficient /usr/lib/security/pam_winbind.so other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 dtsession auth requisite pam_authtok_get.so.1 dtsession auth required pam_dhkeys.so.1 dtsession auth required pam_unix_auth.so.1 ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp account requisite pam_roles.so.1 ppp account required pam_projects.so.1 ppp account required pam_unix_account.so.1 ppp session required pam_unix_session.so.1 passwd auth required pam_passwd_auth.so.1 cron account required pam_unix_account.so.1 ====================================== Additional information: -I have /etc/krb5.conf setup correctly and kinit works just fine. -If I setup a group policy to deny LM and NTLM and only allow NTLMv2 authentication in Active Directory, then SSH login to this system completely fails. SMB sharing to this system, however, works ok in this situation. -I have the exact same setup on RedHat Fedora and Solaris9 and both exhibit the exact same behavior. Thanks in advance for any help.