I just spent half the afternoon debugging problems with the ad idemapping. I had imported the uid range from our IPA server but was having failure mapping user names. "getent passwd SAMDOM\\user1" would fail silently. "wbinfo -n SAMDOM\\user1" would return the sid, "wbinfo -i SAMDOM\\user1" would return failure: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user RVX\user1 I tried increasing the log level for samba, restarting winbind a number of times, "net cache flush", "net cache list", and so on. Nothing useful appeard in any of the samba log.winbind* or log.wb-* files. In the end, I discovered that the range I had put for the SAMDOM domain in smb.com was wrong, and some uids were falling outside this range. But there was _nothing_ in the logs, or the net cache, or otherwise, that pointed me in this direction. the net cache was filled with -1 entries where lookup had failed. So, the bug here, is that it should be _at least_ a warning log when during ID mapping, having gotten a successful SID, that an uid is not found because a corresponding range is not found. After all, the domain has already been determined, and so the correct range should be found, but an uid falls outside the range and nothing is logged.