I have this configuration ldap admin dn = cn=Directory Manager ldap suffix = dc=test.com,dc=global ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Machines and when i try to add an account it can't find the object: # smbpasswd -D10 -am test1$ [...] ldapsam_getsampwnam: Unable to locate user [test1$] count=0 [...] Get_Pwnam_internals didn't find user [test1$]! [...] Failed to add entry for user test1$. acording to this thread: http://lists.samba.org/archive/samba/2006-July/122787.html group, user and machine suffixes are ignored(!) but in the docs those settings are clearly explained: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#LDAPGROUPSUFFIX i've tried with changing ldap.conf settings and indeed, it works. so I'm not sure where this bug should be placed because is either a documentation bug or a config parsing bug. feel free to change it.
"ldap user/group suffix" is used to *create* the LDAP objects. LDAP searches are being done at the "ldap suffix" as search base, which obviously also includes the ldap user/group suffix, because this is is subtree of it. This does not contradict the documentation.