When I try to use kerberos with winbind to authenticate with a userid stored in Active Directory (AD), authentication fails because the principal name that kerberos is trying to use is the 'extended' id used by winbind. In other words, suppose my domain name is 'mydomain', the userid in AD is 'myid', and my smb.conf is set up to use a separator character of '+'. Therefore, I logon to the Linux box as mydomain+myid. If I don't use kerberos (via pam_winbind), I can logon fine. When I try to logon using kerberos (via pam_krb5), a sniffer trace on the domain controller reveals that the principal name passed to AD is mydomain+myid instead of just myid. Clearly, this is not going to work. Any ideas on how to correct this? Thanks. Hugh