OK I did this before seeing the little note in the docs that said don't do this. Using samba 3.0.14a with ldap auth. Terpstra textbook setup from chapter 9 By Example. nsswitch passwd and group = files ldap I deleted the root user from the ldap directory and tried to re-add using smbldap-useradd -u 0 root -P It complained that uid already existed. Must've gotten that from passwd file, so I tried smbldap-useradd root -P Then used GQ to change the uid number to 0 and group id to 512. Problem is when samba tries to auth root, it seaches ldap for a gid 0 rather than 512. Gid 0 is not in ldap. Why is it looking for gid 0? LOG EXTRACT: May 4 12:02:07 suzy slapd[1410]: conn=12423 op=4 SRCH base="ou=Groups,dc=ptcoup ling,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=root )(gidNumber=0)))" What does it take to restore domain admin? here is the output from smbclient -L larry -Uroot: INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 doing parameter syslog = 0 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter smb ports = 139 445 doing parameter name resolve order = wins bcast hosts doing parameter time server = Yes doing parameter printcap cache time = 750 doing parameter printcap name = cups doing parameter show add printer wizard = No doing parameter add user script = /etc/samba/smbldap/smbldap-useradd -m '%u' doing parameter add group script = /etc/samba/smbldap/smbldap-groupadd -p '%g' doing parameter add user to group script = /etc/samba/smbldap/smbldap-groupmod -m '%u' '%g' doing parameter delete user from group script = /etc/samba/smbldap/smbldap-groupmod -x '%u' '%g' doing parameter add machine script = /etc/samba/smbldap/smbldap-useradd -w '%u' doing parameter logon script = /etc/samba/netlogon.bat doing parameter logon path doing parameter logon home doing parameter wins support = Yes doing parameter wins server = 172.21.1.30 doing parameter map acl inherit = yes doing parameter ldap admin dn = cn=Manager,dc=ptcoupling,dc=com doing parameter ldap delete dn = Yes doing parameter ldap group suffix = ou=Groups doing parameter ldap idmap suffix = ou=Idmap doing parameter ldap machine suffix = ou=People doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=ptcoupling,dc=com doing parameter ldapsam:trusted = yes doing parameter ldap ssl = no doing parameter ldap user suffix = ou=People doing parameter idmap backend = ldap:ldap://localhost doing parameter idmap uid = 10000-20000 doing parameter idmap gid = 10000-20000 doing parameter admin users = @"Domain Admins", larry doing parameter force unknown acl user = no doing parameter ea support = Yes doing parameter cups options = raw doing parameter lpq command = /usr/bin/lpq -P'%p' doing parameter lprm command = /usr/bin/lprm -P'%p' %j doing parameter lppause command = lp -i '%p-%j' -H hold doing parameter lpresume command = lp -i '%p-%j' -H resume doing parameter queuepause command = /usr/bin/disable '%p' doing parameter queueresume command = /usr/bin/enable '%p' pm_process() returned Yes Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface ip=172.21.1.30 bcast=172.21.255.255 nmask=255.255.0.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Netbios name list:- my_netbios_names[0]="ACCT.SERVE" Client started (version 3.0.14a-SerNet-SuSE). Opening cache file at /var/lib/samba/gencache.tdb name larry#20 found. Connecting to 172.21.2.2 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 session request ok size=85 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55297 smb_tid=0 smb_pid=16317 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]= 2563 (0xA03) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 227 (0xE3) smb_vwv[11]=45184 (0xB080) smb_vwv[12]=60713 (0xED29) smb_vwv[13]=51670 (0xC9D6) smb_vwv[14]=50512 (0xC550) smb_vwv[15]=11265 (0x2C01) smb_vwv[16]= 1 (0x1) smb_bcc=16 size=85 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55297 smb_tid=0 smb_pid=16317 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]= 2563 (0xA03) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 227 (0xE3) smb_vwv[11]=45184 (0xB080) smb_vwv[12]=60713 (0xED29) smb_vwv[13]=51670 (0xC9D6) smb_vwv[14]=50512 (0xC550) smb_vwv[15]=11265 (0x2C01) smb_vwv[16]= 1 (0x1) smb_bcc=16 Serverzone is 18000 Doing spnego session setup (blob length=16) server didn't supply a full spnego negprot size=240 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=16317 smb_uid=2048 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 123 (0x7B) smb_bcc=197 size=240 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=16317 smb_uid=2048 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 240 (0xF0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 123 (0x7B) smb_bcc=197 Got challenge flags: Got NTLMSSP neg_flags=0x60890215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP challenge set by NTLM2 challenge is: [000] 76 DF F3 B6 AE 24 69 26 v....$i& NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH size=35 smb_com=0x73 smb_rcls=1 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=16317 smb_uid=2048 smb_mid=3 smt_wct=0 smb_bcc=0 size=35 smb_com=0x73 smb_rcls=1 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=16317 smb_uid=2048 smb_mid=3 smt_wct=0 smb_bcc=0 SPNEGO login failed: Undetermined error session setup failed: NT_STATUS_UNSUCCESSFUL