This is my first post to this list. The domain names etc have been changed slightly in the examples below, but you should get the idea. For a long time now (since 3.0.2a?), I have been using the samba 3.0.x series at one of our client sites. The Linux server is joined to a Win2k3 Active Directory. All users are created in the ADS, and the Linux server is able to authenticate them, etc. I recently upgraded from 3.0.7 to 3.0.8 At this point winbind was partially broken. The following commands still worked fine after the upgrade: wbinfo -u wbinfo -g getent passwd getent group However the following commands now failed: wbinfo -t wbinfo -a user%password Also authentication is now failing for our POP daemon and SQUID proxy software. The POP daemon is using the pam pam_winbind.so method of authenticating. Messages from the syslog daemon related to the POP failures are as follows: popa3d[15772]: Authentication failed for UNKNOWN USER Squid 2.5.7 uses winbind to authenticate our users to the proxy via ntlm. When a user called 'dineshbh' tried to authenticate, the following was logged by syslog: squid[15114]: authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' The relevent config in squid.conf for this is like so: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours So I checked to see if kerberos was working still. Running 'kinit adminstrator@SITE.COM.AU' prompted me for a password and worked properly. So I decided to try and rejoin the ADS again with 'net ads join -U administrator' It successfully joined saying the machine account already existed, and that it has updated it. The wbinfo and getent commands behave as before. Commands that fetch group and user info all work, but the authentication commands failed. After downgrading back to 3.0.7 again, everything started to work correctly again. Unfortunately I've lost the window that I was working in, so I don't have exact responses from the failure of the 'wbinfo -t' and 'wbinfo -a' commands, however I can show my config and error messages that appeared in logs. When I ran the wbinfo -t command the following appeared in the log.winbindd file: [2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333) failed tcon_X with NT_STATUS_ACCESS_DENIED [2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333) failed tcon_X with NT_STATUS_ACCESS_DENIED [2004/11/24 18:38:23, 1] nsswitch/winbindd_cm.c:cm_open_connection(333) failed tcon_X with NT_STATUS_ACCESS_DENIED There were no other error messages in logs, and samba, winbind, etc seem to start just fine with no error messages. The config is as follows: The /etc/krb5.conf contains the following relevent entries: [libdefaults] default_realm = SITE.COM.AU [realms] SITE.COM.AU = { kdc = sitepdc admin_server = sitepdc } [domain_realm] site.com.au = SITE.COM.AU .site.com.au = SITE.COM.AU The /etc/smb.conf contains the following relevent entries: [global] workgroup = site password server = sitepdc realm = site.com.au security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir = /home/%u winbind cache time = 120 winbind use default domain = yes # Disable weak LANMAN hash (only required for Win95/98 boxes). client lanman auth = no lanman auth = no # Only allow NTLMv2 authentication (disables NTLMv1) for the best security. client ntlmv2 auth = yes ntlm auth = no # Do not allow anonymous users to collect user and group lists. restrict anonymous = 2 I have an entry like so in the /etc/samba/lmhosts file: 172.16.0.10 sitepdc.site.com.au sitepdc Any ideas why the trust used for authenticating users no longer works in 3.0.8? -- Jim Barber Digital Diagnostic Imaging (The Filmless Future)