"net groupmap delete ntgroup=xxxgroup" does NOT delete the cache entry "IDMAP/GID2SID/<GID>" in gencache.tdb, thus Samba does not recognize new SID for the group. How to reproduce the issue: 0. Environment: # id xxxuser uid=20005(xxxuser) gid=20006(xxxgroup) groups=20006(xxxgroup) # testparm -s Load smb config files from /usr/local/samba/etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_STANDALONE # Global parameters [global] idmap config * : backend = tdb # id xxxuser uid=20005(xxxuser) gid=20006(xxxgroup) groups=20006(xxxgroup) 1. Create a Samba user: # pdbedit --create xxxuser new password: retype new password: Unix username: xxxuser NT username: Account Flags: [U ] User SID: S-1-5-21-563935124-3443185349-1134518957-1020 Primary Group SID: S-1-5-21-563935124-3443185349-1134518957-513 ...(snip)... 2. Add a groupmap for xxxgroup (xxxuser's primary group): # net groupmap add unixgroup=xxxgroup No rid or sid specified, choosing a RID Got RID 1021 Successfully added group xxxgroup to the mapping db as a domain group 3. Check the primary group SID of xxxuser (expected result): # pdbedit -Lv xxxuser |grep 'Primary Group SID:' Primary Group SID: S-1-5-21-563935124-3443185349-1134518957-1021 4. Delete the groupmap for xxxgroup: # net groupmap delete ntgroup=xxxgroup Successfully removed xxxgroup from the mapping db # pdbedit -Lv xxxuser |grep 'Primary Group SID:' Primary Group SID: S-1-5-21-563935124-3443185349-1134518957-513 5. Re-add the groupmap for xxxgroup (new SID is assgined): # net groupmap add unixgroup=xxxgroup No rid or sid specified, choosing a RID Got RID 1022 Successfully added group xxxgroup to the mapping db as a domain group 6. Check the primary group SID of xxxuser (wrong result): # pdbedit -Lv xxxuser |grep 'Primary Group SID:' Primary Group SID: S-1-5-21-563935124-3443185349-1134518957-513 7. Show cache entries in gencache.tdb: # net cache list Key: IDMAP/GID2SID/20006 Timeout: Thu Dec 1 01:17:42 2016 Value: S-1-5-21-563935124-3443185349-1134518957-1021 Key: IDMAP/SID2XID/S-1-22-2-20006 Timeout: Thu Dec 1 01:16:55 2016 Value: 20006:G Key: IDMAP/SID2XID/S-1-5-21-563935124-3443185349-1134518957-1021 Timeout: Thu Dec 1 01:17:42 2016 Value: 20006:G 8. Delete the cache entry "IDMAP/GID2SID/20006" in gencache.tdb: # net cache del IDMAP/GID2SID/20006 Entry deleted. 9. Check the primary group SID of xxxuser (expected result): # pdbedit -Lv xxxuser |grep 'Primary Group SID:' Primary Group SID: S-1-5-21-563935124-3443185349-1134518957-1022