Hi all! It will good for me if you help me. On a client side: I have the following global section and have a winbind pam config: [global] workgroup = COMPANY realm = COMPANY.RU security = ADS encrypt passwords = true dns proxy = no socket options = TCP_NODELAY domain master = no local master = no preferred master = no os level = 0 domain logons = no load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes idmap config * : range = 10000-20000 idmap config * : backend = tdb winbind enum groups = yes winbind enum users = yes winbind use default domain = yes template shell = /bin/bash winbind refresh tickets = yes # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so # here are the per-package modules (the "Primary" block) auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config After login to client I have a tgt for example: Valid starting Expires Service principal 23.08.2014 23:00:53 24.08.2014 09:00:51 krbtgt/COMPANY.RU@COMPANY.RU renew until 30.08.2014 23:00:53 23.08.2014 23:00:53 24.08.2014 09:00:51 GUSEVVS$@COMPANY.RU renew until 30.08.2014 23:00:53 The first question is about: GUSEVVS$@COMPANY.RU - What about the ticket? $ - is strange symbol... The second is about: Expiries... When I lock my PC (ubuntu), and unlock it again: I get a new tgt, but when my pc is ilde without lock screen more than 10 hours, I have expiried my tgt, and because of this I can't explore any kerberosed services. I use samba 4.1.6 as domain member (ubuntu repos) and 4.1.9 as a server side software (sernet) Does it work? I mean: winbind refresh tickets = yes value. Thank for you effort to me!