We have three Samba 2.2.8a DC's. They share the smbpasswd database over NFS. This is not a problem whatsoever. It works wonderfully! We are becoming a complete LDAP authenticating site for everything and want to migrate the smbpasswd file to LDAP. We have the scripts to process all of this so I don't see a problem with merging the sambaSamAccount info with our posixAccount stuff which I saw was very simple to do. All the framework is ready, but where I get confused is can we continue with three DC's and use the single database to auth everyone, or should we be considering a consolidation to one large DC. The reasons for three DC's originally was: 1) Load balancing 2) Distribution of different types of data and services 3) Physical separation of Academic, Administrative and EverthingElse content management. -- This all made sense then, but perhaps not so much now. My questions are these: 1) How would the three Samba DC's share the SID attributes for a given DN between domains so we can keep one password and one id across all domains? It doesn't appear to me that they would. I could really use some insight here. 2) When do I know that I need to use winbindd? The docs seem to refer to merging credential info between Samba and Windows servers, but we don't plan on that. 3) The group information for Samba as laid out in 6.3.5 of the Samba By Example book is quite exciting from the perspective of support for true windows groups in Samba which would be awesome for adding a user as an administrator or Debug Users and such. Will this be complicated by the use of three DC's accessing this info? 4) Assuming I do need winbindd, AIX has LDAP method already, but Andrew's WINBIND method looks equally exciting especially if we can implement the extentions that allow WINBIND to have options for "authonly,db=LDAP" or "auth=KRB5,db=LDAP". The former allows winbindd to do the AIX auth and gather user info from LDAP. The latter one would allow for AIX to auth against KRB, lookup user info from LDAP (which allows the use of secldapclntd and the AIX, RFC2307 or RFC2307AIX mappings allowed by AIX so you can use any LDAP server backend with optional schemas) keeping the ability to still change all passwords and gather RID information from winbindd. This mechanism is easily implemented with getauthdb and setauthdb for AIX loadable authentication modules. Or am I just making this too complicated and missing a rudimentary point? 5) If no SID attribute is listed in the user's DN, and no winbindd is configured does Samba revert back to the computed RID of (uidNumber * 2 + 1000)? I can easily calculate the full SID for the user and store is in the attribute, but I'm curious. (I'm looking throught the code, but some things are just not obvious to me.) I thank you all in advance for your responses and continued documentation of all these features. Bill