This is an issue in 4.0, 4.1 and master. When objects have been migrated from another domain, e.g. group membership can still be indicated through SIDs in the previous domain. When using the SID of the migration source, the LookupSids requests from source3/winbindd/wb_sids2xids.c returns the domain sid from the new domain. The code in wb_sids2xids_lookupsids_done then combines the domain SID from the new domain with the RID from the previous domain. When that wrongly created SID clashes with the SID from an actual user or group, user access can get denied. The patch proposed in https://lists.samba.org/archive/samba-technical/2014-September/102456.html fixes this problem by reverting to the behavior seen in the 3.6 code; use the SID from the previous domain for the id mapping request.
Created attachment 10320 [details] Backport of patches to 4.0 branch
Created attachment 10321 [details] Backport of patches to 4.1 branch
Reassigning for inclusion in 4.x branches.
Pushed to autobuild-v4-[0|0]-test. Christof, please make sure to include the bug number in the commit message in furture. Thanks!
Pushed to both branches. Closing out bug report. Thanks!