Hopefully this can explain where the confusion with LDAP is coming from, here's 2 smb.conf files I use with clients (with any details changed obviously) the top one is the relevant part of global for a file server that is part of a windows domain, kerberos is needed but not LDAP because an external password server is provided to authenticate against. I also put a sample share section on there that shows how to address permissions, the server still maps domain users and groups to uid/gids but rather than having a local OpenLDAP database it uses an external server, this is done mainly through the nsswitch.conf file: passwd: compat winbind shadow: compat group: compat winbind the second global section of smb.conf shows a samaba server acting as a domain controller (this only acts as an NT4 domain controller features expecting in 2003 aren't available), but you can see it does list it's own LDAP server for authentication and uses the smbldap-tools to manage users and groups. It's nsswitch.conf file points to it's own local LDAP server for mapping names to uid/gids: passwd: files ldap shadow: files ldap group: files ldap hope that's of some help. === First no LDAP file server === [global] dos charset = ASCII unix charset = UTF8 display charset = UTF8 workgroup = Domain realm = Domain security = ADS server string = Samba Server %v password server = 10.11.12.13 client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No client use spnego = yes [extra] path = /exports/extra force user = root read only = No valid users = @"domain\user",@"domain\group" === Second DC with LDAP server === [global] netbios name = Samba-DC workgroup = Domain server string = LDAP PDC [on Gentoo :: Samba server %v] security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = lo eth0 bind interfaces only = yes local master = yes os level = 65 domain master = yes preferred master = yes null passwords = no hide unreadable = yes hide dot files = yes domain logons = yes logon drive = H: logon home = \\%L\%U wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no time server = yes log file = /var/log/samba/log.%m max log size = 50 log level = 3 add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add machine script = /usr/sbin/smbldap-useradd -W "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" passdb backend = ldapsam:ldap://127.0.0.1/ ldap delete dn = Yes ldap ssl = no ldap suffix = dc=domain ldap admin dn = cn=Administrator,dc=domain ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=People enable privileges = yes ldapsam:trusted = yes idmap uid = 10000-20000 idmap gid = 10000-20000 --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss