Hi, I have recently upgraded a system with a Samba BDC, PDC and a couple of member servers from 3.2.14 to 3.4.9 (and also tested with 3.5.6). There appears to be some problem with Winbind (we need to run it on all servers as we have a trust relationship to a domain at another office). I have an Idmap range set up in our LDAP database. With 3.2.14, all worked well. The Idmap ou would be populated with, and only with, entries for the accounts on the trusted domain. However, with 3.4.9 and 3.5.6, as soon as a member server is accessed, spurious entries appear in the Idmap ou from the "own domain". In addition, other entries are added for local groups (these are not showing in the screenshot but they are S-1-1-0,S-1-5-11 and S-1-5-2). On another test domain I get entries like A screenshot from an LDAP client illustrates the issue: http://www.nanogherkin.com/ldap.png The green box shows the entries I expect (from the trusted domain). The red boxes show entries that have only appeared since the upgrade. I am concerned about this as all the entries for the local domain (dom sid ends 8426) may be causing access control to stop working correctly - I have not seen any hard evidence of this so far, but there have been times we had to restart winbind on the member servers after the initial startup as no-one could access shares on them. The trusted domain is the one ending 4828. Please also note the entry highlighted in red at the bottom. That SID is the one for one of the newly upgraded member servers (plus -513 for Domain Users). Again I don't know why that has been added. Member server smb.conf: [global] unix charset = LOCALE workgroup = CENSORED_domain netbios name = CENSORED_server security = DOMAIN interfaces = eth0, lo passdb backend = ldapsam:ldap://192.168.1.137 username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 1048576 smb ports = 139 445 name resolve order = wins lmhosts bcast hosts time server = no printcap name = CUPS show add printer wizard = Yes enable privileges = yes ldap suffix = dc=censored,dc=net ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=People,ou=Accounts ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=manager,dc=censored,dc=net ldap timeout = 20 idmap backend = ldap:ldap://192.168.1.137 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind nested groups = yes winbind trusted domains only = yes winbind use default domain = no winbind enum users = yes winbind enum groups = yes #winbind cache time = 1200 allow trusted domains = yes map acl inherit = Yes ea support = Yes wins server = 192.168.1.137 nt acl support = yes PDC smb.conf: [global] workgroup = CENSORED_domain netbios name = CENSORED_DC interfaces = eth0, lo passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers syslog = 0 log file = /var/log/samba/%m max log size = 104857 smb ports = 139 445 name resolve order = wins lmhosts bcast hosts time server = yes #printcap name = CUPS show add printer wizard = Yes enable privileges = yes ldap suffix = dc=censored,dc=net ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=People,ou=Accounts ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=manager,dc=censored,dc=net ldap ssl = no ldap timeout = 60 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind nested groups = yes winbind trusted domains only = yes winbind use default domain = no winbind enum users = yes winbind enum groups = yes allow trusted domains = yes map acl inherit = Yes ea support = Yes #printing = cups # printer admin = root wins support = yes log level = 1 domain logons = yes domain master = yes preferred master = yes logon drive = H: #os level = 35 passdb expand explicit = yes add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' enable privileges = Yes set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon home = "" logon path = "" On the test domain I set up with 3.5.6 I get further phantom entries as soon as a member server is utilised in any way which involves looking up users: dn: sambaSID=S-1-22-2-0,ou=Idmap,dc=testdom1,dc=net objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 10032 sambaSID: S-1-22-2-0 structuralObjectClass: sambaSidEntry entryUUID: f93738b4-7565-102f-938e-0b1afbda8e53 creatorsName: cn=Manager,dc=testdom1,dc=net createTimestamp: 20101026160101Z entryCSN: 20101026160101Z#000001#00#000000 modifiersName: cn=Manager,dc=testdom1,dc=net modifyTimestamp: 20101026160101Z dn: sambaSID=S-1-22-2-1,ou=Idmap,dc=testdom1,dc=net objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 10033 sambaSID: S-1-22-2-1 structuralObjectClass: sambaSidEntry entryUUID: f937bfb4-7565-102f-938f-0b1afbda8e53 creatorsName: cn=Manager,dc=testdom1,dc=net createTimestamp: 20101026160101Z entryCSN: 20101026160101Z#000003#00#000000 modifiersName: cn=Manager,dc=testdom1,dc=net modifyTimestamp: 20101026160101Z dn: sambaSID=S-1-22-2-2,ou=Idmap,dc=testdom1,dc=net objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 10034 sambaSID: S-1-22-2-2 structuralObjectClass: sambaSidEntry entryUUID: f93828d2-7565-102f-9390-0b1afbda8e53 creatorsName: cn=Manager,dc=testdom1,dc=net createTimestamp: 20101026160101Z entryCSN: 20101026160101Z#000005#00#000000 modifiersName: cn=Manager,dc=testdom1,dc=net modifyTimestamp: 20101026160101Z dn: sambaSID=S-1-22-2-3,ou=Idmap,dc=testdom1,dc=net objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 10035 sambaSID: S-1-22-2-3 structuralObjectClass: sambaSidEntry entryUUID: f9389114-7565-102f-9391-0b1afbda8e53 creatorsName: cn=Manager,dc=testdom1,dc=net createTimestamp: 20101026160101Z entryCSN: 20101026160101Z#000007#00#000000 modifiersName: cn=Manager,dc=testdom1,dc=net modifyTimestamp: 20101026160101Z dn: sambaSID=S-1-22-2-4,ou=Idmap,dc=testdom1,dc=net objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 10036 sambaSID: S-1-22-2-4 structuralObjectClass: sambaSidEntry entryUUID: f9390388-7565-102f-9392-0b1afbda8e53 creatorsName: cn=Manager,dc=testdom1,dc=net createTimestamp: 20101026160101Z entryCSN: 20101026160101Z#000009#00#000000 modifiersName: cn=Manager,dc=testdom1,dc=net modifyTimestamp: 20101026160101Z dn: sambaSID=S-1-22-2-6,ou=Idmap,dc=testdom1,dc=net objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 10037 sambaSID: S-1-22-2-6 structuralObjectClass: sambaSidEntry entryUUID: f9399cd0-7565-102f-9393-0b1afbda8e53 creatorsName: cn=Manager,dc=testdom1,dc=net createTimestamp: 20101026160101Z entryCSN: 20101026160101Z#00000b#00#000000 modifiersName: cn=Manager,dc=testdom1,dc=net modifyTimestamp: 20101026160101Z dn: sambaSID=S-1-22-2-10,ou=Idmap,dc=testdom1,dc=net objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 10038 sambaSID: S-1-22-2-10 structuralObjectClass: sambaSidEntry entryUUID: f93a2952-7565-102f-9394-0b1afbda8e53 creatorsName: cn=Manager,dc=testdom1,dc=net createTimestamp: 20101026160101Z entryCSN: 20101026160101Z#00000d#00#000000 modifiersName: cn=Manager,dc=testdom1,dc=net modifyTimestamp: 20101026160101Z Thanks Alex