Attached is a proposed initial fix for the issue, which focuses on
avoiding wrong results.
The fix finds the domain of the SID by resolving a SID with same domain
component and an RID of 513 (domain users), which hopefully never gets
We've discussed other means such as smb.conf stuff or netsamlogon - I
think those methods can come on top of this method, because if they
don't work we should always fall back to something. The added resolving
doesn't cost much because it's in the same round-trip.
The key thing about this fix is that doesn't try to translate sid->xid
in any possible case (such as when old domain is gone and forgotten), it
just avoids getting the *wrong* result. As such, it's a good minimal fix
that can be applied to stable versions. For master, we can add the
smb.conf-based stuff, that will support more cases.