Hello, I install samba-ldap-pdc on a ubuntu. I join well the domain with root user, but when I restart, root or user login don't work. I can access to share via network with root or user login. when I try under winXP pro to change security of a file, I can't access to server user list : "bad user or passwd" I've no error in log.smbd or debug my smb.conf [global] smb ports = 139 workgroup = MAILAN.LOCAL netbios name = authlan server string = Samba-LDAP PDC Server domain master = Yes local master = Yes domain logons = Yes os level = 64 security = milan.local preferred master = Yes #unix password sync = Yes #passwd program = /usr/sbin/smbldap-passwd ?u %u # l option ci-dessous permet de forcer un nouveau mot de passe a la premiere connexion #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=admin,dc=mailan,dc=local ldap suffix = dc=mailan,dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Machines add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" logon path = \\%L\profile\%U logon drive = P: logon home = \\%L\%U socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_KEEPALIVE case sensitive = No default case = lower preserve case = yes short preserve case = Yes #character set = iso8859-1 #domain admin group = @admin dns proxy = No wins support = yes hosts allow = 192.168. 127. winbind use default domain = Yes nt acl support = Yes msdfs root = Yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/ logfile = /var/log/samba/log.%m debug level = 3 [profiles] path = /home/export/profile read only = no browseable = no guest ok = yes profiles acls = yes [netlogon] path = /home/netlogon writable = no browseable = no write list = Administrateur available = no public = no [homes] comment = Repertoire Personnel browseable = No writeable = Yes [partage] comment = Repertoire commun browseable = yes public = yes path = /partage writable = yes [documents] comment = Repertoire commun browseable = no public = no path = /partage/documents available = no writable = no [outils] comment = Repertoire commun browseable = no public = no path = /partage/logiciels/outils available = no writable = no ################################ my slapd.conf ####################### # Global Directives: # Features to permit allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 3 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################################### # SSL: # Uncomment the following lines to enable SSL and use the default # snakeoil certificates. #TLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #TLSCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Chemin vers le certificat du serveur LDAP #TLSCertificateFile /etc/ldap/cert/servercert.pem # Chemin vers la clef priv??e du serveur LDAP #TLSCertificateKeyFile /etc/ldap/cert/serverkey.pem # Chemin vers le certificat de la CA #TLSCACertificateFile /etc/ldap/cert/cacert.pem ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=mailan,dc=local" rootdn "cn=admin,dc=mailan,dc=local" rootpw {SSHA}1PAlNaHo/U5QV8UB9M1scrEoFqGsEtvk # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 replogfile "/var/lib/ldap/replog" replica uri=ldap://192.168.0.132:389 binddn="uid=replication,ou=users,dc=mailan,dc=local" bindmethod=simple credentials=secofr # bindmethod=simple credentials="{SSHA}KsGfPaQR67EKAEbW9FYvloppjVBDSk47" # tls=yes # # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn="cn=admin,dc=mailan,dc=local" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=mailan,dc=local" write by dn="uid=replication,ou=users,dc=mailan,dc=local" read by * read thanks for your answer and sorry for my english