The company I work for is split across two sites, each site has its own domain. The local end is a Samba server (DomA) with about 50 users, the remote end is NT4(DomB) with about 150 active users (400+ usernames in userlist). The two sites are connected over a VPN (Internally DomA=172.16.1.0/24, DomB=10.1.0.0/16) and the two domains trust each other. Users from either site regularly visit, and work from, the other site. When a DomA user logs in from either site, he gets the login script and profile from DomA. However, when a user from DomB logs in from the DomA site, he does not get a login script or a profile from DomB (or DomA). From the DomB site, everything works as expected. The Samba server was initially setup using 3.0.4 but the problem is still present with 3.0.11. I believe that the trusts are working properly - 'wbinfo -t' returns OK, and all authentication appears to be working. 'getent passwd/group' show all users/groups on both domains. However, I am also having problems with setfacl/getfacl when using Samba 3.0.6 or greater. With 3.0.5, there are no problems, but as soon as winbindd 3.0.6 is installed, some of the usernames from DomB are not recognised e.g. with 3.0.5, 'setfacl -m u:DomB+someuser:r-x somefile' succeeds, and 'getfacl somefile' includes 'user:DomB+someuser:r-x' in the ACL. with 3.0.6, the same setfacl command returns an error and getfacl returns 'user:10424:r-x' and 'user:DomB+anotheruser:r-x' (where idmap uids are 10000-20000). Is there a reason why the scripts/profiles are not being read back? Why would some DomB users not work with setfacl/getfacl when winbindd is updated to 3.0.6 or above? Has anyone else had the same problems? Samba server setup is as follows: OS: SuSE 9.0 (no updates) Samba: Updated/Compiled from sources, set as WINS server Using LDAP and IdealX 0.8.4 (? I think) scripts. Clients are Win2K and XP boxes (with varying SP levels). I'll generate some logs when I get into work and post them later. Thanks.