On 17/08/2020 12:19, Bob Wooden via samba wrote: > workgroup = DOM > > ## map ids from the domain the range may not overlap ! > idmap config SUBDOM : backend = ad You have 'DOM' set as the workgroup and 'SUBDOM' in the 'idmap config' lines. 'DOM' != 'SUBDOM' They both should be the same. Rowland