I'm not completely sure if this is really a bug (I don't have AIX) but I noticed something strange in the nss code. in nsswitch/pam_winbind.c:1539 (in pam_sm_authenticate) there is some code that, for AIX only, translates an encoded username (_#uid) from the username variable into the real_username variable. If no encoded username is used (which is always on non-AIX platforms) username is strdup'd into real_username. So far so good (though it might be a bit inefficient to do all this strdupping when it's really not needed on non-AIX). Yet, further on real_username is used in debug output and it is freed again, but the actual work (on line 1587) is done using username instead of real_username. retval = winbind_auth_request(pamh, ctrl, username, password, member, cctype, NULL, NULL, &username_ret); AFAICS this means that, on AIX the encoded _#uid will still be used instead of the decoded version, so logging in won't work. Again, all of this is untested and only based on reading the code, but changing username into real_username in that last line should make things work properly again.