Samba bug 11961 fixes an issue with idmap backend autorid but I think it may trigger an issue with the rid backend. To reproduce I have my domains configured like follows: realm = ENGWIN2K8.EXAMPLE.NET idmap config *: backend = tdb idmap config *: read only = yes idmap config *: range = 200000-210000 idmap config engwin2k8: read only = no idmap config engwin2k8: backend = rid idmap config engwin2k8: range = 400000-8000000 With this configuration running Samba 4.4.7 I then run the following commands. (good - proper domain sid) # wbinfo --sid-to-gid S-1-5-21-2711066360-1593264842-223442985-513 400513 (bad - made up domain sid) # wbinfo --sid-to-gid S-1-5-21-1999999999-1993264842-923442985-786 400786 I expected something like what I got on older versions of Samba: # wbinfo --sid-to-gid S-1-5-21-1999999999-1993264842-923442985-786 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-1999999999-1993264842-923442985-786 to gid And indeed when I build a custom version of Samba with the patch from that bug reverted (git change d5af3f3b6565da624fe6f6e4cbea818392c0c68f) I get the desired behavior. This is an issue on systems that have migrated data, especially those preserving old nt acls, across systems and domains. It appears that the cache gets "polluted" with some of these entries and may be causing file access issues. Please let me know if there in any additional information I can provide. Thank you.
*** This bug has been marked as a duplicate of bug 11961 ***