Winbind works very well for most of the domains with which we have trusts. But for one domain, 'groups DOMAIN\user' returns only gid 0, and I see kerberos errors in winbind logs: [2008/01/31 13:51:12, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602) ads_krb5_mk_req: krb5_get_credentials failed for foo$@THEIRDOMAIN (Server not found in Kerberos database) [2008/01/31 13:51:12, 1] nsswitch/winbindd_ads.c:ads_cached_connection(128) ads_connect for domain THEIRDOMAIN failed: Server not found in Kerberos database [2008/01/31 13:51:12, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152) error getting user info for sid S-1-[...] Don McCall appears to have had the same problem: http://lists.samba.org/archive/samba-technical/2007-February/051678.html Jerry confirmed that a two-way trust is required between the domain that the winbind host belongs to and any trusted domains. Is there any workaround to this at all? Is it perhaps possible have winbind use credentials from the trusted domain to bind to the DC for looking up user information? Thank you, Ian Masterson University of Washington Libraries