All, I have a Samba 3.0.4 server running on AIX 5.2. Samba is configured with PAM, LDAP and Kerberos. The server has been joined to an existing Windows 2003 domain, and wbinfo -u and wbinfo -g works fine. Users from the domain that Samba is a member of can authenticate just fine. The domain is in a one-way trust relationship with another ADS domain (i.e. Samba is a member of domain A, users from domain B can access any machines in domain A, but not vice versa). When a user from domain B tries to connect to the Samba share, I get a Kerberos error in the winbindd logs when the Samba server is trying to set up a session with the DC in domain B. I had this working, and then I made the mistake of running SWAT, which blew away my smb.conf file. Can someone tell me if I'm missing something and if so, what? Smb.conf: # Samba config file created using SWAT # from 162.10.170.129 (162.10.170.129) # Date: 2005/08/11 14:13:47 # Global parameters [global] workgroup = DEVELOPMENT realm = READING.DEVPORTAL.NET encrypt passwords = yes security = ADS password server = usrd106.reading.devportal.net winbind uid = 10000-20000 winbind gid = 10000-20000 winbind separator = + use spnego = yes client use spnego = yes winbind enum groups = yes winbind enum users = yes winbind use default domain = true [public] comment = Public data directory path = /sambapublic username = @"DEVELOPMENT+Domain Users",@"CORP+Domain Users" read list = @"DEVELOPMENT+Domain Users",@"CORP+Domain Users" read only = No krb5.conf: [libdefaults] default_realm = READING.DEVPORTAL.NET [domain_realm] .reading.devportal.net = READING.DEVPORTAL.NET .devportal.net = READING.DEVPORTAL.NET [realms] READING.DEVPORTAL.NET = { kdc = usrd106.reading.devportal.net default_domain = reading.devportal.net } [logging] kdc = FILE:/var/heimdal/kdc.log kdc = SYSLOG:INFO default = SYSLOG:INFO:USER Winbindd log: [2005/08/12 09:07:08, 1] nsswitch/winbindd.c:main(843) winbindd version 3.0.4 started. Copyright The Samba Team 2000-2004 [2005/08/12 09:07:08, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0 [2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (A file or directory in the path name does not ex ist.) [2005/08/12 09:07:08, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain CORP S-1-5-21-2817246239-1260869369-510543907 [2005/08/12 09:07:08, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain OZ S-1-5-21-2070835033-1539587657-2044928816 [2005/08/12 09:07:08, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain BUILTIN S-1-5-32 [2005/08/12 09:07:08, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain FLOATER S-1-5-21-1519954005-851123223-2065552488 [2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314) krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown error -1765 328377) [2005/08/12 09:07:20, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(541) spnego_gen_negTokenTarg failed: Unknown error -1765328377 [2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314) krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown error -1765 328377) [2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314) krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown error -1765 328377) ...skipping... Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0 [2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (A file or directory in the path name does not exist.) [2005/08/12 09:07:08, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Thanks, Ron