All of my new users in my samba domain were getting this error when they tried to login to windows after I updated our ldap server. The problem was that I didn’t update my script to use the new SID on the new server. So for these users, the sambaSID and sambaPrimaryGroupSID values were wrong. I changed them with this ldif file.

dn: uid=user1,ou=people,dc=edg,dc=uchicago,dc=edu
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-3315390538-3674444503-1443699862-4388
-
replace: sambaPrimaryGroupSID
sambaPrimaryGroupSID: S-1-5-21-3315390538-3674444503-1443699862-1413