Hi All, I have a problem with permissions following a migration from tdbsam to LDAP. As I understand it from the documentation, each member server on the domain needs to have 2 SIDs, a domain SID and a local machine SID. After migrating the server to ldap, users can still login and desktops and servers can still connect so the machine accounts are fine but I've lost access to shares on member servers. I've set the smb.conf to obtain the unix user and group info from the LDAP server and the conditions are met: 1) I can su to a UNIX account on any machine 2) wbinfo -u & g return full and correct user & group listsings. 3) net groupmap list on all servers returns identical map lists 4) logging into any server and running id <username> produces identical user and group id's I have 777 as permissions on the share and its parent directory and I have tried valid users, read list and write list with @"Group" and +"NTDomain\groupname" with no success. The only member server I can access shares on is one that has the same SID for local and machine although users and groups show up as SERVERNETBIOSNAME\group. It states in the documentation that each member server has different domain and machine SIDs but does that include the PDC. Given that the PDC itself has to be joined to the NT Domain with net rpc join I suspect that's the case but I haven't found anything confirming it. Can anyone elaborate? Cheers, Jools