There is no check on the syntax 188.8.131.52 of securityIdentifier when saving the value.
MS-AD will refuse to save if the syntax is not a hex string representation of a objectSID. Samba-AD will accept any hex string.
I have seen this issue at a client who was using the securityIdentifier to store the SHA1 string of the user password (no comments).
When adding a MS-AD in the domain, initial join does works but subsequent replications fail.
This is not a show stopper, but I had this case at a client today. Actually I'm not even clear on what this attribute's purpose is...
NDR unpack is complaining when displaying the corrupt user entry with a ldbsearch or a samba-tool user show.
How to reproduce:
* add a random string to the securityIndentifier attribute of a user
* samba-tool user show myser -> see the NDR unpack error
* try to join a MS-AD, replication fails after initial join