with samba WITHOUT using winbind. Sorry, but this is not acceptible for me (and for sure quite a few other people). If it is by design that winbind does the lookup of sids and if it is also by design that winbind is the final authority on uids, then the design is not the best. I would prefer to have two separate instances for resolving sids to names and for resolving names to uids. The way you have implemented it so far forces users to quit their nameservice and use the M$ one. Am I right? Christopher