Leap 15.4 / 15.2 (and TW) work _after_ making a modification to the auto-generated /etc/samba/smb.conf file (as previously documented on here somewhere). I don't remember where I got these edits from anymore. These edits are _the same_ for Leap 15.2 / 15.4 and TW I have to replace the section: [global] workgroup = ADS passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No > idmap config * : backend = tdb > idmap config * : range = 10000-20000 > idmap config ads : backend = rid > idmap config ads : range = 20001-99999 kerberos method = secrets and keytab realm = ADS.XXX.XXX security = ADS template homedir = /home/%D/%U template shell = /bin/bash winbind refresh tickets = yes with [global] workgroup = ADS passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No > idmap gid = 10000-20000 > idmap uid = 10000-20000 kerberos method = secrets and keytab realm = ADS.XXX.XXX security = ADS template homedir = /home/%D/%U template shell = /bin/bash winbind refresh tickets = yes This may be related to our AD setup, but I can't make any comments on why. getent passwd / group only shows local stuff. "id" shows correct group membership for AD users (after the mod).