Hello, I'm not really expecting an answer to my question, but I might as well try. Samba's IRC channel proved unhelpful, and I found a work-around before I got desperate enought to try the (from the archives not very promising) mailing list. I am using an MS Server2k8R2 ADS, and Samba 3.6.9 with an idmap_ad configuration, which was working the way I expected until recently. I had to reboot my ADS then, and what happened next was ugly. For some reason Samba/winbind/idmap messed up, and assigned the uid of my domain user to a local guest account (SID ending on 501 - just like the co-existing domain guest account). This made nss go crazy. Authentication still worked, as did getent passwd, but uid-to-name was broken. User rights were transferred to the local guest account. My real question is - how did this local account crop up? Where is idmap/wbinfo getting uid to sid translation from? Why is it not respecting smb.conf idmap range settings? ..I ended up assigning a different uid to the domain account, and did some chowns, but I'd still like to know what exactly has happened there, and why.