There is no check on the syntax 2.5.5.17 of securityIdentifier when saving the value. MS-AD will refuse to save if the syntax is not a hex string representation of a objectSID. Samba-AD will accept any hex string. I have seen this issue at a client who was using the securityIdentifier to store the SHA1 string of the user password (no comments). When adding a MS-AD in the domain, initial join does works but subsequent replications fail. This is not a show stopper, but I had this case at a client today. Actually I'm not even clear on what this attribute's purpose is... NDR unpack is complaining when displaying the corrupt user entry with a ldbsearch or a samba-tool user show. How to reproduce: * add a random string to the securityIndentifier attribute of a user * samba-tool user show myser -> see the NDR unpack error * try to join a MS-AD, replication fails after initial join