Greetings, I have just migrated our school NT4 Domain over to Samba 3.0.5-0.backports.org.1 running on Debian Stable with some backports packages. I am using ldapsam backend with OpenLDAP 2.0.23-6.3 - ldap-server For the most part ,the Domain is functioning very well, login, password changes, browsing the domain etc. all seem to work, but I have a starnge problem with looking up users and groups. usrmgr and srvmgr running on NT/2000/XP servers/workstations will not function - they complain about "Invalid Tag" from and NT workstation, when I go into security panel on a fiel permission, I can view all the doamin groups, but when I try to expand the list to view users, I again get the "Invalid Tag" error. Doing the same thing from a 2000 or XP workstation, only shows local machine groups and will not display the Domain groups, or give me the option to view domain users. However, if I manually type in a domain user or group e.g. \\DOMAIN1\bill.bloggs I am able to assign rights to that entity. Can anyone give me clues as to what might be amiss here, the onlt info I've found so far applies to Samba 2.something and was supposed to fixed a while ago. smb.conf is given below:- [global] unix charset = LOCALE workgroup = OURDOMAIN netbios name = STAFF_SAMBA interfaces = eth0, lo bind interfaces only = Yes ldap passwd sync = Yes passdb backend = ldapsam:ldap://localhost username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 445 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS show add printer wizard = No add user script = /sbin/smbldap-useradd -a -m '%u' delete user script = /sbin/smbldap-userdel %u add group script = /sbin/smbldap-groupadd -p '%g' delete group script = /sbin/smbldap-groupdel '%g' add user to group script = /sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /sbin/smbldap-usermod -g '%g' '%u' add machine script = /sbin/smbldap-useradd -w '%u' logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes domain master = Yes preferred master = Yes wins support = Yes ldap suffix = o=brentwood.bc.ca. ldap machine suffix = ou=People,ou=internal ldap user suffix = ou=People,ou=internal ldap group suffix = ou=Groups,ou=internal ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,o=brentwood.bc.ca. idmap backend = ldap:ldap://localhost idmap uid = 10000-20000 idmap gid = 10000-20000 map acl inherit = Yes printing = cups printer admin = Headboy, pavittd, dewi, Administrator Thanks, Dewi