Hi, just a question about the representation of Windows Domain groups in LDAP when using the ldapsam backend: What exactly is required to have a Windows Domain group properly configured? Am I correct that there is only a single LDAP object of - objectClasses sambaGroupMapping and posixGroup, - where the cn and gidNumber tell the posix/unix group stuff, - where the sambaSID, the sambaGroupType, and the displayName describe the Windows group, - and the mapping is done by just having both parts of information in the same object? Is it correct that the posix group name (cn) and the windows group name (displayName) are independent and can be arbitrarily chosen? And that it does not matter whether the windows group name contains spaces, where unix/posix group names must not? regards Hadmut