Hi Jacky, As many folks have already mentioned, authorization is outside of the scope of Kerberos. Take a look at pam_listfile you can define an arbitrary white or black list of users or groups and apply it against an service. http://www.us.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_listfile.html Dax Kelson Guru Labs