"net sam provision" adds sambaNextUserRid to sambaDomainName entry, but other commands and tools will use sambaNextRid. I guess sambaNextUserRid and sambaNextGroupRid LDAP attributes should be removed from the schema, and tools should not relay on these.