I am using Samba 3.0.20b as a PDC with an OpenLDAP back end. It works great! Many of my users have login access as well as access to Samba shares, so they have a shell, auto_home, etc. in the LDAP directory. I'd like to restrict their ability to log in to a shell on the PDC machine though. I tried using passwd_compat in nsswitch.conf and putting selected netgroups in the passwd file. However, this knocks the excluded users out of the NT domain as well. I thought "ldapsam:trusted = yes" might be a step in the right direction, but no. This is a Solaris 9 system, BTW. Any thoughts? Thanks! -- Roy McMorran Systems Administrator MDI Biological Laboratory mcmorran@mdibl.org