I have two issues, potentially related, potentially not. First off, a bit about my environment: I am experiencing the same issues on two boxes, one of which is running red hat linux ES 4 update 6 i386, the other running red hat enterprise linux server release 5.1 x86_64 . Both appear to be running samba 3.0.25b, both are members of an active directory domain . There are 7 domain controllers in total, and there are a largish number of users: approximately 34,000. I am only allowing users that belong to a certain group to log in, selecting in /etc/security/pam_winbind.conf with require_membership_of=[GROUP SID]. I also have this same group named in /etc/sudoers with a line similar to: %Name\ Of\ My\ Group ALL=(ALL) ALL (note that I am using a group name with spaces in it, though it states in docs this is a no-no it seems to work, initially at least - more on that later) The first issue is that after winbindd has been running for a while (several hours perhaps?) , logins slow down to a crawl. It can take upwards of two minutes to log in, whether the username exists in the local passwd file or whether an AD user. If I restart winbindd, logins are once again snappy. The second issue is that after I have logged in as an AD user and the session has sat idle for maybe 10 minutes or so, I get the following error when trying to sudo: sudo: uid [some number] does not exist in the passwd file! If I log out and log back in, I can do sudo commands. Also, of note, if I run anything that calls getpwent() , sudo once again works. I came up with this test program: #include <sys/types.h> #include <pwd.h> #include <stdio.h> int main(int argc, char** argv) { struct passwd * whatevs = getpwent(); if (whatevs) { printf("%s:%s:%d:%d:%s:%s:%s\n", whatevs->pw_name, whatevs->pw_passwd, whatevs->pw_uid, whatevs->pw_gid, whatevs->pw_gecos, whatevs->pw_dir, whatevs->pw_shell); } else { printf("crap!!!! null\n"); } return 0; } Here is my smb.conf: [global] workgroup=VANDERBILT server string = Lamborghini Metaclinic (RHEL5.1) netbios name = lamborghini realm = DS.VANDERBILT.EDU preferred master = no security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 1000-100000000 idmap gid = 1000-100000000 idmap backend idmap_rid:VANDERBILT=1000-50000000 ;template primary group "Domain Users" template shell = /bin/bash winbind offline logon = yes Here is my /etc/krb5.conf : [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DS.VANDERBILT.EDU dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] DS.VANDERBILT.EDU = { kdc = ds.vanderbilt.edu } [domain_realm] .kerberos.server = DS.VANDERBILT.EDU [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } my /etc/security/pam_winbind.conf: [global] require_membership_of = [some long SID here] and I've already given the relevant bits of the sudoers file. As an aside, is there a way to give an SID instead of a group name in the /etc/sudoers file? Nathan Johnson