@@ -, +, @@ 
 DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS
---
 python/samba/dbchecker.py | 2 +-
 source4/dsdb/pydsdb.c     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
--- a/python/samba/dbchecker.py	
+++ a/python/samba/dbchecker.py	
@@ -759,7 +759,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
         m = ldb.Message()
         m.dn = obj.dn
         m['value'] = ldb.MessageElement(forward_vals, ldb.FLAG_MOD_REPLACE, forward_attr)
-        if self.do_modify(m, ["local_oid:1.3.6.1.4.1.7165.4.3.19.2:1"],
+        if self.do_modify(m, ["local_oid:%s:1" % dsdb.DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS],
                 "Failed to fix duplicate links in attribute '%s'" % forward_attr):
             self.report("Fixed duplicate links in attribute '%s'" % (forward_attr))
             duplicate_cache_key = "%s:%s" % (str(obj.dn), forward_attr)
--- a/source4/dsdb/pydsdb.c	
+++ a/source4/dsdb/pydsdb.c	
@@ -1569,6 +1569,7 @@ void initdsdb(void)
 	ADD_DSDB_STRING(DSDB_SYNTAX_OR_NAME);
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK);
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA);
+	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS);
 	ADD_DSDB_STRING(DSDB_CONTROL_REPLMD_VANISH_LINKS);
 	ADD_DSDB_STRING(DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID);
 	ADD_DSDB_STRING(DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID);
-- 
 NOTE: old (due to rename or delete) DN string component for
 objectCategory in object CN=alice,CN=Users,DC=samba,DC=example,DC=com -
 <GUID=7bfdf9d8-62f9-420c-8a71-e3d3e931c91e>;
   CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=bad,DC=com
 Change DN to <GUID=7bfdf9d8-62f9-420c-8a71-e3d3e931c91e>;
   CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com?
 [y/N/all/none] y
 Failed to fix old DN string on attribute objectCategory : (16,
 "attribute 'objectCategory': no matching attribute value while deleting
 attribute on 'CN=alice,CN=Users,DC=samba,DC=example,DC=com'")
---
 python/samba/dbchecker.py                     | 19 ++++--
 source4/dsdb/pydsdb.c                         |  1 +
 .../dsdb/samdb/ldb_modules/repl_meta_data.c   | 64 ++++++++++++++++++
 source4/dsdb/samdb/samdb.h                    |  3 +
 ...-after-dbcheck-oneway-link-corruption.ldif | 19 ++++++
 ...eck-link-output-oneway-link-corruption.txt |  5 ++
 testprogs/blackbox/dbcheck-links.sh           | 65 +++++++++++++++++++
 7 files changed, 171 insertions(+), 5 deletions(-)
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-after-dbcheck-oneway-link-corruption.ldif
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-oneway-link-corruption.txt
--- a/python/samba/dbchecker.py	
+++ a/python/samba/dbchecker.py	
@@ -650,7 +650,8 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
         m.dn = dn
         m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
         m['new_value'] = ldb.MessageElement(str(dsdb_dn), ldb.FLAG_MOD_ADD, attrname)
-        if self.do_modify(m, ["show_recycled:1"],
+        if self.do_modify(m, ["show_recycled:1",
+                              "local_oid:%s:1" % dsdb.DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME],
                           "Failed to fix old DN string on attribute %s" % (attrname)):
             self.report("Fixed old DN string on attribute %s" % (attrname))
 
@@ -1289,14 +1290,22 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                                                       res[0].dn, "SID")
                 continue
 
+            # Only for non-links, not even forward-only links
+            # (otherwise this breaks repl_meta_data):
+            #
             # Now we have checked the GUID and SID, offer to fix old
-            # DN strings as a non-error (for forward links with no
+            # DN strings as a non-error (DNs, not links so no
             # backlink).  Samba does not maintain this string
             # otherwise, so we don't increment error_count.
             if reverse_link_name is None:
-                if str(res[0].dn) != str(dsdb_dn.dn):
-                    self.err_dn_string_component_old(obj.dn, attrname, val, dsdb_dn,
-                                                     res[0].dn)
+                if linkID == 0 and str(res[0].dn) != str(dsdb_dn.dn):
+                    # Pass in the old/bad DN without the <GUID=...> part,
+                    # otherwise the LDB code will correct it on the way through
+                    # (Note: we still want to preserve the DSDB DN prefix in the
+                    # case of binary DNs)
+                    bad_dn = dsdb_dn.prefix + dsdb_dn.dn.get_linearized()
+                    self.err_dn_string_component_old(obj.dn, attrname, bad_dn,
+                                                     dsdb_dn, res[0].dn)
                 continue
 
             # check the reverse_link is correct if there should be one
--- a/source4/dsdb/pydsdb.c	
+++ a/source4/dsdb/pydsdb.c	
@@ -1570,6 +1570,7 @@ void initdsdb(void)
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK);
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA);
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS);
+	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME);
 	ADD_DSDB_STRING(DSDB_CONTROL_REPLMD_VANISH_LINKS);
 	ADD_DSDB_STRING(DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID);
 	ADD_DSDB_STRING(DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID);
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -3329,6 +3329,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 	const struct ldb_message_element *guid_el = NULL;
 	struct ldb_control *sd_propagation_control;
 	struct ldb_control *fix_links_control = NULL;
+	struct ldb_control *fix_dn_name_control = NULL;
 	struct replmd_private *replmd_private =
 		talloc_get_type(ldb_module_get_private(module), struct replmd_private);
 
@@ -3387,6 +3388,69 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
+	fix_dn_name_control = ldb_request_get_control(req,
+					DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME);
+	if (fix_dn_name_control != NULL) {
+		struct dsdb_schema *schema = NULL;
+		const struct dsdb_attribute *sa = NULL;
+
+		if (req->op.mod.message->num_elements != 2) {
+			return ldb_module_operr(module);
+		}
+
+		if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_DELETE) {
+			return ldb_module_operr(module);
+		}
+
+		if (req->op.mod.message->elements[1].flags != LDB_FLAG_MOD_ADD) {
+			return ldb_module_operr(module);
+		}
+
+		if (req->op.mod.message->elements[0].num_values != 1) {
+			return ldb_module_operr(module);
+		}
+
+		if (req->op.mod.message->elements[1].num_values != 1) {
+			return ldb_module_operr(module);
+		}
+
+		schema = dsdb_get_schema(ldb, req);
+		if (schema == NULL) {
+			return ldb_module_operr(module);
+		}
+
+		if (ldb_attr_cmp(req->op.mod.message->elements[0].name,
+				 req->op.mod.message->elements[1].name) != 0) {
+			return ldb_module_operr(module);
+		}
+
+		sa = dsdb_attribute_by_lDAPDisplayName(schema,
+				req->op.mod.message->elements[0].name);
+		if (sa == NULL) {
+			return ldb_module_operr(module);
+		}
+
+		if (sa->dn_format == DSDB_INVALID_DN) {
+			return ldb_module_operr(module);
+		}
+
+		if (sa->linkID != 0) {
+			return ldb_module_operr(module);
+		}
+
+		/*
+		 * If we are run from dbcheck and we are not updating
+		 * a link (as these would need to be sorted and so
+		 * can't go via such a simple update, then do not
+		 * trigger replicated updates and a new USN from this
+		 * change, it wasn't a real change, just a new
+		 * (correct) string DN
+		 */
+
+		fix_dn_name_control->critical = false;
+		return ldb_next_request(module, req);
+	}
+
 	ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_modify\n");
 
 	guid_el = ldb_msg_find_element(req->op.mod.message, "objectGUID");
--- a/source4/dsdb/samdb/samdb.h	
+++ a/source4/dsdb/samdb/samdb.h	
@@ -130,6 +130,9 @@ struct dsdb_control_password_change {
 /* passed by dbcheck to fix duplicate linked attributes (bug #13095) */
 #define DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS "1.3.6.1.4.1.7165.4.3.19.2"
 
+/* passed by dbcheck to fix the DN strong of a one-way-link (bug #13495) */
+#define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME "1.3.6.1.4.1.7165.4.3.19.3"
+
 /* passed when importing plain text password on upgrades */
 #define DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.20"
 
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-after-dbcheck-oneway-link-corruption.ldif	
+++ a/source4/selftest/provisions/release-4-5-0-pre1/expected-after-dbcheck-oneway-link-corruption.ldif	
@@ -0,0 +1,19 @@ 
+# record 1
+dn: OU=dangling-ou2,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# record 2
+dn: OU=dangling-from,DC=release-4-5-0-pre1,DC=samba,DC=corp
+seeAlso: OU=dangling-ou2,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=DomainDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# Referral
+ref: ldap:///DC=ForestDnsZones,DC=release-4-5-0-pre1,DC=samba,DC=corp
+
+# returned 5 records
+# 2 entries
+# 3 referrals
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-oneway-link-corruption.txt	
+++ a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-oneway-link-corruption.txt	
@@ -0,0 +1,5 @@ 
+Checking 228 objects
+NOTE: old (due to rename or delete) DN string component for seeAlso in object OU=dangling-from,DC=release-4-5-0-pre1,DC=samba,DC=corp - OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp
+Change DN to <GUID=20600e7c-92bb-492e-9552-f3ed7f8a2cad>;OU=dangling-ou2,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
+Fixed old DN string on attribute seeAlso
+Checked 228 objects (0 errors)
--- a/testprogs/blackbox/dbcheck-links.sh	
+++ a/testprogs/blackbox/dbcheck-links.sh	
@@ -205,6 +205,67 @@ check_expected_after_dbcheck_forward_link_corruption() {
     fi
 }
 
+oneway_link_corruption() {
+    #
+    # Step1: add  OU "dangling-ou"
+    #
+    ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption.ldif
+    cat > $ldif <<EOF
+dn: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: organizationalUnit
+objectGUID: 20600e7c-92bb-492e-9552-f3ed7f8a2cad
+EOF
+
+    out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+
+    #
+    # Step2: add  msExchConfigurationContainer "dangling-msexch"
+    #
+    ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption2.ldif
+    cat > $ldif <<EOF
+dn: OU=dangling-from,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: organizationalUnit
+seeAlso: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp
+EOF
+
+    out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+
+    #
+    # Step3: rename dangling-ou to dangling-ou2
+    #
+    # Because this is a one-way link we don't fix it at runtime
+    #
+    out=$(TZ=UTC $ldbrename -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp OU=dangling-ou2,DC=release-4-5-0-pre1,DC=samba,DC=corp)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+}
+
+dbcheck_oneway_link_corruption() {
+    dbcheck "-oneway-link-corruption" "0" ""
+    return $?
+}
+
+check_expected_after_dbcheck_oneway_link_corruption() {
+    tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-oneway-link-corruption.ldif.tmp
+    TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(ou=dangling-ou)(ou=dangling-ou2)(ou=dangling-from))' -s sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted seeAlso > $tmpldif
+    diff $tmpldif $release_dir/expected-after-dbcheck-oneway-link-corruption.ldif
+    if [ "$?" != "0" ]; then
+	return 1
+    fi
+}
+
 dbcheck_dangling_multi_valued() {
 
     $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --fix --yes
@@ -276,6 +337,10 @@ if [ -d $release_dir ]; then
     testit "dbcheck_forward_link_corruption" dbcheck_forward_link_corruption
     testit "check_expected_after_dbcheck_forward_link_corruption" check_expected_after_dbcheck_forward_link_corruption
     testit "forward_link_corruption_clean" dbcheck_clean
+    testit "oneway_link_corruption" oneway_link_corruption
+    testit "dbcheck_oneway_link_corruption" dbcheck_oneway_link_corruption
+    testit "check_expected_after_dbcheck_oneway_link_corruption" check_expected_after_dbcheck_oneway_link_corruption
+    testit "oneway_link_corruption_clean" dbcheck_clean
     testit "dangling_one_way_link" dangling_one_way_link
     testit "dbcheck_one_way" dbcheck_one_way
     testit "dbcheck_clean2" dbcheck_clean
-- 
 DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME
---
 source4/setup/schema_samba4.ldif | 1 +
 1 file changed, 1 insertion(+)
--- a/source4/setup/schema_samba4.ldif	
+++ a/source4/setup/schema_samba4.ldif	
@@ -214,6 +214,7 @@ 
 #Allocated: DSDB_CONTROL_DBCHECK 1.3.6.1.4.1.7165.4.3.19
 #Allocated: DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA 1.3.6.1.4.1.7165.4.3.19.1
 #Allocated: DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS 1.3.6.1.4.1.7165.4.3.19.2
+#Allocated: DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME 1.3.6.1.4.1.7165.4.3.19.3
 #Allocated: DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID 1.3.6.1.4.1.7165.4.3.20
 #Allocated: DSDB_CONTROL_SEC_DESC_PROPAGATION_OID 1.3.6.1.4.1.7165.4.3.21
 #Allocated: DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID 1.3.6.1.4.1.7165.4.3.23
-- 
 DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME
---
 source4/dsdb/samdb/samdb.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/source4/dsdb/samdb/samdb.h	
+++ a/source4/dsdb/samdb/samdb.h	
@@ -130,7 +130,7 @@ struct dsdb_control_password_change {
 /* passed by dbcheck to fix duplicate linked attributes (bug #13095) */
 #define DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS "1.3.6.1.4.1.7165.4.3.19.2"
 
-/* passed by dbcheck to fix the DN strong of a one-way-link (bug #13495) */
+/* passed by dbcheck to fix the DN string of a one-way-link (bug #13495) */
 #define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME "1.3.6.1.4.1.7165.4.3.19.3"
 
 /* passed when importing plain text password on upgrades */
-- 
 samba4.blackbox.test_primary_group test
---
 .../samba4.blackbox.test_primary_group        |  2 +
 source4/selftest/tests.py                     |  2 +
 testprogs/blackbox/test_primary_group.sh      | 86 +++++++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 selftest/knownfail.d/samba4.blackbox.test_primary_group
 create mode 100755 testprogs/blackbox/test_primary_group.sh
--- a/selftest/knownfail.d/samba4.blackbox.test_primary_group	
+++ a/selftest/knownfail.d/samba4.blackbox.test_primary_group	
@@ -0,0 +1,2 @@ 
+^samba4.blackbox.test_primary_group.dbcheck.*run1
+^samba4.blackbox.test_primary_group.dbcheck.*run2
--- a/source4/selftest/tests.py	
+++ a/source4/selftest/tests.py	
@@ -406,6 +406,8 @@ for env in ["ad_member", "s4member", "ad_dc_ntvfs", "chgdcpass"]:
 plantestsuite("samba4.blackbox.samba_tool(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(samba4srcdir, "utils/tests/test_samba_tool.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', smbclient4])
 plantestsuite("samba4.blackbox.net_rpc_user(ad_dc)", "ad_dc", [os.path.join(bbdir, "test_net_rpc_user.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN'])
 
+plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join(bbdir, "test_primary_group.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX_ABS'])
+
 if have_heimdal_support:
     for env in ["ad_dc_ntvfs", "ad_dc"]:
         plantestsuite("samba4.blackbox.pkinit(%s:local)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient4, configuration])
--- a/testprogs/blackbox/test_primary_group.sh	
+++ a/testprogs/blackbox/test_primary_group.sh	
@@ -0,0 +1,86 @@ 
+#!/bin/bash
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_primary_group.sh SERVER USERNAME PASSWORD DOMAIN PREFIX_ABS
+EOF
+exit 1;
+fi
+
+TMPDIR="$PREFIX_ABS/$(basename $0)"
+export TMPDIR
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+DOMAIN=$4
+PREFIX_ABS=$5
+shift 5
+failed=0
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+TZ=UTC
+export TZ
+
+N=$(date +%H%M%S)
+
+testuser="testuser$N"
+testgroup="testgroup$N"
+
+echo "testuser: $testuser"
+echo "testgroup: $testgroup"
+
+testit "mkdir -p '${TMPDIR}'" mkdir -p ${TMPDIR} || failed=`expr $failed + 1`
+
+testit "create '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user create "$testuser" Password.1 || failed=`expr $failed + 1`
+testit "add '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group add "$testgroup" || failed=`expr $failed + 1`
+testit "addmembers '$testgroup' '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool group addmembers "$testgroup" "$testuser" || failed=`expr $failed + 1`
+
+testit "search1" $VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testgroup" objectSid || failed=`expr $failed + 1`
+ldif="${TMPDIR}/search1.ldif"
+$VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testgroup objectSid > $ldif
+rid=$(cat $ldif | sed -n 's/^objectSid: S-1-5-21-.*-.*-.*-//p')
+
+testit "search2" $VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testuser" dn || failed=`expr $failed + 1`
+ldif="${TMPDIR}/search2.ldif"
+$VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testuser dn > $ldif
+user_dn=$(cat $ldif | sed -n 's/^dn: //p')
+
+ldif="${TMPDIR}/modify1.ldif"
+cat > $ldif <<EOF
+dn: $user_dn
+changetype: modify
+replace: primaryGroupID
+primaryGroupID: $rid
+EOF
+testit "Change primaryGroupID to $rid" $VALGRIND $BINDIR/ldbmodify -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 --verbose < $ldif || failed=`expr $failed + 1`
+
+testit "dbcheck run1" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1`
+
+ldif="${TMPDIR}/modify2.ldif"
+cat > $ldif <<EOF
+dn: $user_dn
+changetype: modify
+replace: primaryGroupID
+primaryGroupID: 513
+EOF
+testit "Change primaryGroupID to 513" $VALGRIND $BINDIR/ldbmodify  -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1`
+
+testit "dbcheck run2" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1`
+
+testit "delete '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user delete "$testuser" || failed=`expr $failed + 1`
+testit "delete '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group delete "$testgroup" || failed=`expr $failed + 1`
+
+#
+# As we don't support phantom objects and virtual backlinks
+# the deletion of the user and group cause dangling links,
+# which are detected like this:
+#
+# WARNING: target DN is deleted for member in object
+#
+testit_expect_failure "dbcheck run3" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member --fix --yes || failed=`expr $failed + 1`
+testit "dbcheck run4" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1`
+
+exit $failed
-- 
---
 source4/dsdb/pydsdb.c            | 1 +
 source4/dsdb/samdb/samdb.h       | 3 +++
 source4/setup/schema_samba4.ldif | 1 +
 3 files changed, 5 insertions(+)
--- a/source4/dsdb/pydsdb.c	
+++ a/source4/dsdb/pydsdb.c	
@@ -1571,6 +1571,7 @@ void initdsdb(void)
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA);
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS);
 	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME);
+	ADD_DSDB_STRING(DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID);
 	ADD_DSDB_STRING(DSDB_CONTROL_REPLMD_VANISH_LINKS);
 	ADD_DSDB_STRING(DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID);
 	ADD_DSDB_STRING(DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID);
--- a/source4/dsdb/samdb/samdb.h	
+++ a/source4/dsdb/samdb/samdb.h	
@@ -133,6 +133,9 @@ struct dsdb_control_password_change {
 /* passed by dbcheck to fix the DN string of a one-way-link (bug #13495) */
 #define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME "1.3.6.1.4.1.7165.4.3.19.3"
 
+/* passed by dbcheck to fix the DN SID of a one-way-link (bug #13418) */
+#define DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID "1.3.6.1.4.1.7165.4.3.19.4"
+
 /* passed when importing plain text password on upgrades */
 #define DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID "1.3.6.1.4.1.7165.4.3.20"
 
--- a/source4/setup/schema_samba4.ldif	
+++ a/source4/setup/schema_samba4.ldif	
@@ -215,6 +215,7 @@ 
 #Allocated: DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA 1.3.6.1.4.1.7165.4.3.19.1
 #Allocated: DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS 1.3.6.1.4.1.7165.4.3.19.2
 #Allocated: DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME 1.3.6.1.4.1.7165.4.3.19.3
+#Allocated: DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID 1.3.6.1.4.1.7165.4.3.19.4
 #Allocated: DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID 1.3.6.1.4.1.7165.4.3.20
 #Allocated: DSDB_CONTROL_SEC_DESC_PROPAGATION_OID 1.3.6.1.4.1.7165.4.3.21
 #Allocated: DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID 1.3.6.1.4.1.7165.4.3.23
-- 
---
 python/samba/dbchecker.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/python/samba/dbchecker.py	
+++ a/python/samba/dbchecker.py	
@@ -378,10 +378,11 @@ systemFlags: -1946157056%s""" % (dn, guid_suffix),
 
     def do_modify(self, m, controls, msg, validate=True):
         '''perform a modify with optional verbose output'''
+        controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
         if self.verbose:
             self.report(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+            self.report("controls: %r" % controls)
         try:
-            controls = controls + ["local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]
             self.samdb.modify(m, controls=controls, validate=validate)
         except Exception, err:
             if self.in_transaction:
-- 
---
 python/samba/dbchecker.py | 42 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)
--- a/python/samba/dbchecker.py	
+++ a/python/samba/dbchecker.py	
@@ -59,6 +59,7 @@ class dbcheck(object):
         self.fix_all_string_dn_component_mismatch = False
         self.fix_all_GUID_dn_component_mismatch = False
         self.fix_all_SID_dn_component_mismatch = False
+        self.fix_all_SID_dn_component_missing = False
         self.fix_all_old_dn_string_component_mismatch = False
         self.fix_all_metadata = False
         self.fix_time_metadata = False
@@ -673,6 +674,38 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                           "Failed to fix incorrect DN %s on attribute %s" % (mismatch_type, attrname)):
             self.report("Fixed incorrect DN %s on attribute %s" % (mismatch_type, attrname))
 
+    def err_dn_component_missing_target_sid(self, dn, attrname, val, dsdb_dn, target_sid_blob):
+        """handle a DN string being incorrect"""
+        self.report("ERROR: missing DN SID component for %s in object %s - %s" % (attrname, dn, val))
+
+        if len(dsdb_dn.prefix) != 0:
+            self.report("Not fixing missing DN SID on DN+BINARY or DN+STRING")
+            return
+
+        correct_dn = ldb.Dn(self.samdb, dsdb_dn.dn.extended_str())
+        correct_dn.set_extended_component("SID", target_sid_blob)
+
+        if not self.confirm_all('Change DN to %s?' % correct_dn.extended_str(),
+                                'fix_all_SID_dn_component_missing'):
+            self.report("Not fixing missing DN SID component")
+            return
+
+        target_guid_blob = correct_dn.get_extended_component("GUID")
+        guid_sid_dn = ldb.Dn(self.samdb, "")
+        guid_sid_dn.set_extended_component("GUID", target_guid_blob)
+        guid_sid_dn.set_extended_component("SID", target_sid_blob)
+
+        m = ldb.Message()
+        m.dn = dn
+        m['new_value'] = ldb.MessageElement(guid_sid_dn.extended_str(), ldb.FLAG_MOD_ADD, attrname)
+        controls = [
+            "show_recycled:1",
+            "local_oid:%s:1" % dsdb.DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID
+        ]
+        if self.do_modify(m, controls,
+                          "Failed to ADD missing DN SID on attribute %s" % (attrname)):
+            self.report("Fixed missing DN SID on attribute %s" % (attrname))
+
     def err_unknown_attribute(self, obj, attrname):
         '''handle an unknown attribute error'''
         self.report("ERROR: unknown attribute '%s' in %s" % (attrname, obj.dn))
@@ -1285,7 +1318,14 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                                                       res[0].dn, "GUID")
                 continue
 
-            if res[0].dn.get_extended_component("SID") != dsdb_dn.dn.get_extended_component("SID"):
+            target_sid = res[0].dn.get_extended_component("SID")
+            link_sid = dsdb_dn.dn.get_extended_component("SID")
+            if link_sid is None and target_sid is not None:
+                error_count += 1
+                self.err_dn_component_missing_target_sid(obj.dn, attrname, val,
+                                                         dsdb_dn, target_sid)
+                continue
+            if link_sid != target_sid:
                 error_count += 1
                 self.err_dn_component_target_mismatch(obj.dn, attrname, val, dsdb_dn,
                                                       res[0].dn, "SID")
-- 
 <SID=...> on linked attributes
---
 .../knownfail.d/samba4.blackbox.dbcheck-links |   6 +
 ...ink-output-missing-link-sid-corruption.txt |   8 ++
 testprogs/blackbox/dbcheck-links.sh           | 110 ++++++++++++++++++
 3 files changed, 124 insertions(+)
 create mode 100644 selftest/knownfail.d/samba4.blackbox.dbcheck-links
 create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt
--- a/selftest/knownfail.d/samba4.blackbox.dbcheck-links	
+++ a/selftest/knownfail.d/samba4.blackbox.dbcheck-links	
@@ -0,0 +1,6 @@ 
+# The first one fails and all others are follow up failures...
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_missing_link_sid_corruption
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.missing_link_sid_clean
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_clean3
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_equal_or_too_many
--- a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt	
+++ a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt	
@@ -0,0 +1,8 @@ 
+Change DN to <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;<SID=S-1-5-21-4177067393-1453636373-93818738-771>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
+Change DN to <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;<SID=S-1-5-21-4177067393-1453636373-93818738-772>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp? [YES]
+Checked 231 objects (2 errors)
+Checking 231 objects
+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=0da8f25e-d110-11e8-80b7-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3769>;<RMD_ORIGINATING_USN=3769>;<RMD_VERSION=2>;CN=missingsidu1,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+ERROR: missing DN SID component for member in object CN=missingsidg3,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp - <GUID=66eb8f52-d110-11e8-ab9b-3c970ec68461>;<RMD_ADDTIME=123456789000000000>;<RMD_CHANGETIME=123456789000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=4e4496a3-7fb8-4f97-8a33-d238db8b5e2d>;<RMD_LOCAL_USN=3768>;<RMD_ORIGINATING_USN=3768>;<RMD_VERSION=1>;CN=missingsidu2,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+Fixed missing DN SID on attribute member
+Fixed missing DN SID on attribute member
--- a/testprogs/blackbox/dbcheck-links.sh	
+++ a/testprogs/blackbox/dbcheck-links.sh	
@@ -131,6 +131,113 @@ check_expected_after_duplicate_links() {
     fi
 }
 
+missing_link_sid_corruption() {
+    # Step1: add user "missingsidu1"
+    #
+    ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption1.ldif
+    cat > $ldif <<EOF
+dn: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: user
+samaccountname: missingsidu1
+objectGUID: 0da8f25e-d110-11e8-80b7-3c970ec68461
+objectSid: S-1-5-21-4177067393-1453636373-93818738-771
+EOF
+
+    out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+
+    # Step2: add user "missingsidu2"
+    #
+    ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption2.ldif
+    cat > $ldif <<EOF
+dn: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: user
+samaccountname: missingsidu2
+objectGUID: 66eb8f52-d110-11e8-ab9b-3c970ec68461
+objectSid: S-1-5-21-4177067393-1453636373-93818738-772
+EOF
+
+    out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+
+    # Step3: add group "missingsidg3" and add users as members
+    #
+    ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption3.ldif
+    cat > $ldif <<EOF
+dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: group
+samaccountname: missingsidg3
+objectGUID: fd992424-d114-11e8-bb36-3c970ec68461
+objectSid: S-1-5-21-4177067393-1453636373-93818738-773
+member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+EOF
+
+    out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+
+    # Step4: remove one user again, so that we have one deleted link
+    #
+    ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption4.ldif
+    cat > $ldif <<EOF
+dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: modify
+delete: member
+member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+EOF
+
+    out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+
+    #
+    # Step5: remove the SIDS from the links
+    #
+    LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' -s base --reveal --extended-dn --show-binary member)
+    DN=$(echo "${LDIF1}" | grep '^dn: ')
+    MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$')
+    ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption5.ldif
+    {
+	echo "${DN}"
+	echo "changetype: modify"
+	echo "replace: member"
+	#echo "${MSG}"
+	echo "${MSG}" | sed \
+		-e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-771>;!!g' \
+		-e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-772>;!!g' \
+		-e 's!RMD_ADDTIME=[1-9][0-9]*!RMD_ADDTIME=123456789000000000!g' \
+		-e 's!RMD_CHANGETIME=[1-9][0-9]*!RMD_CHANGETIME=123456789000000000!g' \
+		| cat
+    } > $ldif
+
+    out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+    if [ "$?" != "0" ]; then
+	echo "ldbmodify returned:\n$out"
+	return 1
+    fi
+
+    return 0
+}
+
+dbcheck_missing_link_sid_corruption() {
+    dbcheck "-missing-link-sid-corruption" "1" ""
+    return $?
+}
+
 forward_link_corruption() {
     #
     # Step1: add a duplicate forward link from
@@ -344,6 +451,9 @@ if [ -d $release_dir ]; then
     testit "dangling_one_way_link" dangling_one_way_link
     testit "dbcheck_one_way" dbcheck_one_way
     testit "dbcheck_clean2" dbcheck_clean
+    testit "missing_link_sid_corruption" missing_link_sid_corruption
+    testit "dbcheck_missing_link_sid_corruption" dbcheck_missing_link_sid_corruption
+    testit "missing_link_sid_clean" dbcheck_clean
     testit "dangling_one_way_dn" dangling_one_way_dn
     testit "deleted_one_way_dn" deleted_one_way_dn
     testit "dbcheck_clean3" dbcheck_clean
-- 
 replmd_replicated_request to replmd_modify_handle_linked_attribs()
---
 .../dsdb/samdb/ldb_modules/repl_meta_data.c   | 25 ++++++++-----------
 1 file changed, 10 insertions(+), 15 deletions(-)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -3116,8 +3116,9 @@ static int replmd_modify_la_replace(struct ldb_module *module,
  */
 static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 					       struct replmd_private *replmd_private,
+					       struct replmd_replicated_request *ac,
 					       struct ldb_message *msg,
-					       uint64_t seq_num, time_t t,
+					       time_t t,
 					       struct ldb_request *parent)
 {
 	struct ldb_result *res;
@@ -3126,8 +3127,6 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	struct ldb_message *old_msg;
 
-	const struct dsdb_schema *schema;
-
 	if (dsdb_functional_level(ldb) == DS_DOMAIN_FUNCTION_2000) {
 		/*
 		 * Nothing special is required for modifying or vanishing links
@@ -3161,10 +3160,6 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 	if (ret != LDB_SUCCESS) {
 		return ret;
 	}
-	schema = dsdb_get_schema(ldb, res);
-	if (!schema) {
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
 
 	old_msg = res->msgs[0];
 
@@ -3173,7 +3168,7 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 		struct ldb_message_element *old_el, *new_el;
 		unsigned int mod_type = LDB_FLAG_MOD_TYPE(el->flags);
 		const struct dsdb_attribute *schema_attr
-			= dsdb_attribute_by_lDAPDisplayName(schema, el->name);
+			= dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name);
 		if (!schema_attr) {
 			ldb_asprintf_errstring(ldb,
 					       "%s: attribute %s is not a valid attribute in schema",
@@ -3209,22 +3204,22 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 		switch (mod_type) {
 		case LDB_FLAG_MOD_REPLACE:
 			ret = replmd_modify_la_replace(module, replmd_private,
-						       schema, msg, el, old_el,
-						       schema_attr, seq_num, t,
+						       ac->schema, msg, el, old_el,
+						       schema_attr, ac->seq_num, t,
 						       old_msg->dn,
 						       parent);
 			break;
 		case LDB_FLAG_MOD_DELETE:
 			ret = replmd_modify_la_delete(module, replmd_private,
-						      schema, msg, el, old_el,
-						      schema_attr, seq_num, t,
+						      ac->schema, msg, el, old_el,
+						      schema_attr, ac->seq_num, t,
 						      old_msg->dn,
 						      parent);
 			break;
 		case LDB_FLAG_MOD_ADD:
 			ret = replmd_modify_la_add(module, replmd_private,
-						   schema, msg, el, old_el,
-						   schema_attr, seq_num, t,
+						   ac->schema, msg, el, old_el,
+						   schema_attr, ac->seq_num, t,
 						   old_msg->dn,
 						   parent);
 			break;
@@ -3496,7 +3491,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 	}
 
 	ret = replmd_modify_handle_linked_attribs(module, replmd_private,
-						  msg, ac->seq_num, t, req);
+						  ac, msg, t, req);
 	if (ret != LDB_SUCCESS) {
 		talloc_free(ac);
 		return ret;
-- 
 replmd_replicated_request to replmd_modify_la_add()
---
 .../dsdb/samdb/ldb_modules/repl_meta_data.c   | 27 +++++++------------
 1 file changed, 10 insertions(+), 17 deletions(-)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -2398,12 +2398,11 @@ static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct d
  */
 static int replmd_modify_la_add(struct ldb_module *module,
 				struct replmd_private *replmd_private,
-				const struct dsdb_schema *schema,
+				struct replmd_replicated_request *ac,
 				struct ldb_message *msg,
 				struct ldb_message_element *el,
 				struct ldb_message_element *old_el,
 				const struct dsdb_attribute *schema_attr,
-				uint64_t seq_num,
 				time_t t,
 				struct ldb_dn *msg_dn,
 				struct ldb_request *parent)
@@ -2416,17 +2415,10 @@ static int replmd_modify_la_add(struct ldb_module *module,
 	unsigned old_num_values = old_el ? old_el->num_values : 0;
 	unsigned num_values = 0;
 	unsigned max_num_values;
-	const struct GUID *invocation_id;
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	NTTIME now;
 	unix_to_nt_time(&now, t);
 
-	invocation_id = samdb_ntds_invocation_id(ldb);
-	if (!invocation_id) {
-		talloc_free(tmp_ctx);
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-
 	/* get the DNs to be added, fully parsed.
 	 *
 	 * We need full parsing because they came off the wire and we don't
@@ -2522,15 +2514,16 @@ static int replmd_modify_la_add(struct ldb_module *module,
 			ret = replmd_update_la_val(new_values, exact->v,
 						   dns[i].dsdb_dn,
 						   exact->dsdb_dn,
-						   invocation_id, seq_num,
-						   seq_num, now, 0, false);
+						   &ac->our_invocation_id,
+						   ac->seq_num, ac->seq_num,
+						   0, now, false);
 			if (ret != LDB_SUCCESS) {
 				talloc_free(tmp_ctx);
 				return ret;
 			}
 
 			ret = replmd_add_backlink(module, replmd_private,
-						  schema,
+						  ac->schema,
 						  msg_dn,
 						  &dns[i].guid, 
 						  true,
@@ -2572,15 +2565,15 @@ static int replmd_modify_la_add(struct ldb_module *module,
 		}
 
 		ret = replmd_add_backlink(module, replmd_private,
-					  schema, msg_dn,
+					  ac->schema, msg_dn,
 					  &dns[i].guid,
 					  true, schema_attr,
 					  parent);
 		/* Make the new linked attribute ldb_val. */
 		ret = replmd_build_la_val(new_values, &new_values[num_values],
-					  dns[i].dsdb_dn, invocation_id,
-					  seq_num, seq_num,
+					  dns[i].dsdb_dn, &ac->our_invocation_id,
+					  ac->seq_num, ac->seq_num,
 					  now, 0, false);
 		if (ret != LDB_SUCCESS) {
 			talloc_free(tmp_ctx);
 			return ret;
@@ -3218,8 +3211,8 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 			break;
 		case LDB_FLAG_MOD_ADD:
 			ret = replmd_modify_la_add(module, replmd_private,
-						   ac->schema, msg, el, old_el,
-						   schema_attr, ac->seq_num, t,
+						   ac, msg, el, old_el,
+						   schema_attr, t,
 						   old_msg->dn,
 						   parent);
 			break;
-- 
 replmd_modify_la_add()
---
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -2445,7 +2445,7 @@ static int replmd_modify_la_add(struct ldb_module *module,
 	max_num_values = old_num_values + el->num_values;
 	if (max_num_values < old_num_values) {
 		DEBUG(0, ("we seem to have overflow in replmd_modify_la_add. "
-			  "old values: %u, new values: %u, sum: %u",
+			  "old values: %u, new values: %u, sum: %u\n",
 			  old_num_values, el->num_values, max_num_values));
 		talloc_free(tmp_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
-- 
 replmd_replicated_request to replmd_modify_la_delete()
---
 .../dsdb/samdb/ldb_modules/repl_meta_data.c   | 27 ++++++++-----------
 1 file changed, 11 insertions(+), 16 deletions(-)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -2611,12 +2611,11 @@ static int replmd_modify_la_add(struct ldb_module *module,
  */
 static int replmd_modify_la_delete(struct ldb_module *module,
 				   struct replmd_private *replmd_private,
-				   const struct dsdb_schema *schema,
+				   struct replmd_replicated_request *ac,
 				   struct ldb_message *msg,
 				   struct ldb_message_element *el,
 				   struct ldb_message_element *old_el,
 				   const struct dsdb_attribute *schema_attr,
-				   uint64_t seq_num,
 				   time_t t,
 				   struct ldb_dn *msg_dn,
 				   struct ldb_request *parent)
@@ -2630,16 +2629,10 @@ static int replmd_modify_la_delete(struct ldb_module *module,
 	bool vanish_links = false;
 	unsigned int num_to_delete = el->num_values;
 	uint32_t rmd_flags;
-	const struct GUID *invocation_id;
 	NTTIME now;
 
 	unix_to_nt_time(&now, t);
 
-	invocation_id = samdb_ntds_invocation_id(ldb);
-	if (!invocation_id) {
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-
 	if (old_el == NULL || old_el->num_values == 0) {
 		/* there is nothing to delete... */
 		if (num_to_delete == 0) {
@@ -2703,7 +2696,7 @@ static int replmd_modify_la_delete(struct ldb_module *module,
 				}
 			}
 			ret = replmd_add_backlink(module, replmd_private,
-						  schema, msg_dn, &p->guid,
+						  ac->schema, msg_dn, &p->guid,
 						  false, schema_attr,
 						  parent);
 			if (ret != LDB_SUCCESS) {
@@ -2721,8 +2714,9 @@ static int replmd_modify_la_delete(struct ldb_module *module,
 
 			ret = replmd_update_la_val(old_el->values, p->v,
 						   p->dsdb_dn, p->dsdb_dn,
-						   invocation_id, seq_num,
-						   seq_num, now, 0, true);
+						   &ac->our_invocation_id,
+						   ac->seq_num, ac->seq_num,
+						   now, 0, true);
 			if (ret != LDB_SUCCESS) {
 				talloc_free(tmp_ctx);
 				return ret;
@@ -2784,7 +2778,7 @@ static int replmd_modify_la_delete(struct ldb_module *module,
 			/* remove the backlink */
 			ret = replmd_add_backlink(module,
 						  replmd_private,
-						  schema, 
+						  ac->schema,
 						  msg_dn,
 						  &p->guid,
 						  false, schema_attr,
@@ -2818,14 +2812,15 @@ static int replmd_modify_la_delete(struct ldb_module *module,
 
 		ret = replmd_update_la_val(old_el->values, exact->v,
 					   exact->dsdb_dn, exact->dsdb_dn,
-					   invocation_id, seq_num, seq_num,
+					   &ac->our_invocation_id,
+					   ac->seq_num, ac->seq_num,
 					   now, 0, true);
 		if (ret != LDB_SUCCESS) {
 			talloc_free(tmp_ctx);
 			return ret;
 		}
 		ret = replmd_add_backlink(module, replmd_private,
-					  schema, msg_dn,
+					  ac->schema, msg_dn,
 					  &p->guid,
 					  false, schema_attr,
 					  parent);
@@ -3204,8 +3199,8 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 			break;
 		case LDB_FLAG_MOD_DELETE:
 			ret = replmd_modify_la_delete(module, replmd_private,
-						      ac->schema, msg, el, old_el,
-						      schema_attr, ac->seq_num, t,
+						      ac, msg, el, old_el,
+						      schema_attr, t,
 						      old_msg->dn,
 						      parent);
 			break;
-- 
 replmd_replicated_request to replmd_modify_la_replace()
---
 .../dsdb/samdb/ldb_modules/repl_meta_data.c   | 31 +++++++------------
 1 file changed, 12 insertions(+), 19 deletions(-)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -2870,12 +2870,11 @@ static int replmd_modify_la_delete(struct ldb_module *module,
  */
 static int replmd_modify_la_replace(struct ldb_module *module,
 				    struct replmd_private *replmd_private,
-				    const struct dsdb_schema *schema,
+				    struct replmd_replicated_request *ac,
 				    struct ldb_message *msg,
 				    struct ldb_message_element *el,
 				    struct ldb_message_element *old_el,
 				    const struct dsdb_attribute *schema_attr,
-				    uint64_t seq_num,
 				    time_t t,
 				    struct ldb_dn *msg_dn,
 				    struct ldb_request *parent)
@@ -2884,7 +2883,6 @@ static int replmd_modify_la_replace(struct ldb_module *module,
 	struct parsed_dn *dns, *old_dns;
 	TALLOC_CTX *tmp_ctx = talloc_new(msg);
 	int ret;
-	const struct GUID *invocation_id;
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	struct ldb_val *new_values = NULL;
 	const char *ldap_oid = schema_attr->syntax->ldap_oid;
@@ -2895,11 +2893,6 @@ static int replmd_modify_la_replace(struct ldb_module *module,
 
 	unix_to_nt_time(&now, t);
 
-	invocation_id = samdb_ntds_invocation_id(ldb);
-	if (!invocation_id) {
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-
 	/*
 	 * The replace operation is unlike the replace and delete cases in that
 	 * we need to look at every existing link to see whether it is being
@@ -2999,8 +2992,8 @@ static int replmd_modify_la_replace(struct ldb_module *module,
 				ret = replmd_update_la_val(new_values, old_p->v,
 							   old_p->dsdb_dn,
 							   old_p->dsdb_dn,
-							   invocation_id,
-							   seq_num, seq_num,
+							   &ac->our_invocation_id,
+							   ac->seq_num, ac->seq_num,
 							   now, 0, true);
 				if (ret != LDB_SUCCESS) {
 					talloc_free(tmp_ctx);
@@ -3008,7 +3001,7 @@ static int replmd_modify_la_replace(struct ldb_module *module,
 				}
 
 				ret = replmd_add_backlink(module, replmd_private,
-							  schema, 
+							  ac->schema,
 							  msg_dn,
 							  &old_p->guid, false,
 							  schema_attr,
@@ -3033,8 +3026,8 @@ static int replmd_modify_la_replace(struct ldb_module *module,
 			ret = replmd_update_la_val(new_values, old_p->v,
 						   new_p->dsdb_dn,
 						   old_p->dsdb_dn,
-						   invocation_id,
-						   seq_num, seq_num,
+						   &ac->our_invocation_id,
+						   ac->seq_num, ac->seq_num,
 						   now, 0, false);
 			if (ret != LDB_SUCCESS) {
 				talloc_free(tmp_ctx);
@@ -3044,7 +3037,7 @@ static int replmd_modify_la_replace(struct ldb_module *module,
 			rmd_flags = dsdb_dn_rmd_flags(old_p->dsdb_dn->dn);
 			if ((rmd_flags & DSDB_RMD_FLAG_DELETED) != 0) {
 				ret = replmd_add_backlink(module, replmd_private,
-							  schema, 
+							  ac->schema,
 							  msg_dn,
 							  &new_p->guid, true,
 							  schema_attr,
@@ -3066,15 +3059,15 @@ static int replmd_modify_la_replace(struct ldb_module *module,
 			ret = replmd_build_la_val(new_values,
 						  new_p->v,
 						  new_p->dsdb_dn,
-						  invocation_id,
-						  seq_num, seq_num,
+						  &ac->our_invocation_id,
+						  ac->seq_num, ac->seq_num,
 						  now, 0, false);
 			if (ret != LDB_SUCCESS) {
 				talloc_free(tmp_ctx);
 				return ret;
 			}
 			ret = replmd_add_backlink(module, replmd_private,
-						  schema,
+						  ac->schema,
 						  msg_dn,
 						  &new_p->guid, true,
 						  schema_attr,
@@ -3192,8 +3185,8 @@ static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
 		switch (mod_type) {
 		case LDB_FLAG_MOD_REPLACE:
 			ret = replmd_modify_la_replace(module, replmd_private,
-						       ac->schema, msg, el, old_el,
-						       schema_attr, ac->seq_num, t,
+						       ac, msg, el, old_el,
+						       schema_attr, t,
 						       old_msg->dn,
 						       parent);
 			break;
-- 
 DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID
---
 .../knownfail.d/samba4.blackbox.dbcheck-links |   6 -
 .../samdb/ldb_modules/extended_dn_store.c     |   7 +
 .../dsdb/samdb/ldb_modules/repl_meta_data.c   | 145 ++++++++++++++++++
 source4/dsdb/samdb/ldb_modules/samldb.c       |  12 +-
 4 files changed, 161 insertions(+), 9 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba4.blackbox.dbcheck-links
--- a/selftest/knownfail.d/samba4.blackbox.dbcheck-links	
+++ a/selftest/knownfail.d/samba4.blackbox.dbcheck-links	
@@ -1,6 +0,0 @@ 
-# The first one fails and all others are follow up failures...
-^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_missing_link_sid_corruption
-^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.missing_link_sid_clean
-^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_clean3
-^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued
-^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_equal_or_too_many
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_store.c	
+++ a/source4/dsdb/samdb/ldb_modules/extended_dn_store.c	
@@ -376,6 +376,7 @@ static int extended_dn_modify(struct ldb_module *module, struct ldb_request *req
 	unsigned int i, j;
 	struct extended_dn_context *ac;
 	struct ldb_control *fix_links_control = NULL;
+	struct ldb_control *fix_link_sid_ctrl = NULL;
 	int ret;
 
 	if (ldb_dn_is_special(req->op.mod.message->dn)) {
@@ -400,6 +401,12 @@ static int extended_dn_modify(struct ldb_module *module, struct ldb_request *req
 		return ldb_next_request(module, req);
 	}
 
+	fix_link_sid_ctrl = ldb_request_get_control(ac->req,
+					DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID);
+	if (fix_link_sid_ctrl != NULL) {
+		return ldb_next_request(module, req);
+	}
+
 	for (i=0; i < req->op.mod.message->num_elements; i++) {
 		const struct ldb_message_element *el = &req->op.mod.message->elements[i];
 		const struct dsdb_attribute *schema_attr
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -112,6 +112,8 @@ struct replmd_replicated_request {
 	bool is_urgent;
 
 	bool isDeleted;
+
+	bool fix_link_sid;
 };
 
 static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar);
@@ -2481,6 +2483,109 @@ static int replmd_modify_la_add(struct ldb_module *module,
 			return err;
 		}
 
+		if (ac->fix_link_sid) {
+			char *fixed_dnstring = NULL;
+			struct dom_sid tmp_sid = { 0, };
+			DATA_BLOB sid_blob = data_blob_null;
+			enum ndr_err_code ndr_err;
+			NTSTATUS status;
+			int num;
+
+			if (exact == NULL) {
+				talloc_free(tmp_ctx);
+				return ldb_operr(ldb);
+			}
+
+			if (dns[i].dsdb_dn->dn_format != DSDB_NORMAL_DN) {
+				talloc_free(tmp_ctx);
+				return ldb_operr(ldb);
+			}
+
+			/*
+			 * Only "<GUID=...><SID=...>" is allowed.
+			 *
+			 * We get the GUID to just to find the old
+			 * value and the SID in order to add it
+			 * to the found value.
+			 */
+
+			num = ldb_dn_get_comp_num(dns[i].dsdb_dn->dn);
+			if (num != 0) {
+				talloc_free(tmp_ctx);
+				return ldb_operr(ldb);
+			}
+
+			num = ldb_dn_get_extended_comp_num(dns[i].dsdb_dn->dn);
+			if (num != 2) {
+				talloc_free(tmp_ctx);
+				return ldb_operr(ldb);
+			}
+
+			status = dsdb_get_extended_dn_sid(exact->dsdb_dn->dn,
+							  &tmp_sid, "SID");
+			if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+				/* this is what we expect */
+			} else if (NT_STATUS_IS_OK(status)) {
+				struct GUID_txt_buf guid_str;
+				ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+						       "i[%u] SID NOT MISSING... Attribute %s already "
+						       "exists for target GUID %s, SID %s, DN: %s",
+						       i, el->name,
+						       GUID_buf_string(&exact->guid,
+								       &guid_str),
+						       dom_sid_string(tmp_ctx, &tmp_sid),
+						       dsdb_dn_get_extended_linearized(tmp_ctx,
+							       exact->dsdb_dn, 1));
+				talloc_free(tmp_ctx);
+				return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+			} else {
+				talloc_free(tmp_ctx);
+				return ldb_operr(ldb);
+			}
+
+			status = dsdb_get_extended_dn_sid(dns[i].dsdb_dn->dn,
+							  &tmp_sid, "SID");
+			if (!NT_STATUS_IS_OK(status)) {
+				struct GUID_txt_buf guid_str;
+				ldb_asprintf_errstring(ldb,
+						       "NO SID PROVIDED... Attribute %s already "
+						       "exists for target GUID %s",
+						       el->name,
+						       GUID_buf_string(&exact->guid,
+								       &guid_str));
+				talloc_free(tmp_ctx);
+				return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+			}
+
+			ndr_err = ndr_push_struct_blob(&sid_blob, tmp_ctx, &tmp_sid,
+						       (ndr_push_flags_fn_t)ndr_push_dom_sid);
+			if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+				talloc_free(tmp_ctx);
+				return ldb_operr(ldb);
+			}
+
+			ret = ldb_dn_set_extended_component(exact->dsdb_dn->dn, "SID", &sid_blob);
+			data_blob_free(&sid_blob);
+			if (ret != LDB_SUCCESS) {
+				talloc_free(tmp_ctx);
+				return ret;
+			}
+
+			fixed_dnstring = dsdb_dn_get_extended_linearized(
+					new_values, exact->dsdb_dn, 1);
+			if (fixed_dnstring == NULL) {
+				talloc_free(tmp_ctx);
+				return ldb_operr(ldb);
+			}
+
+			/*
+			 * We just replace the existing value...
+			 */
+			*exact->v = data_blob_string_const(fixed_dnstring);
+
+			continue;
+		}
+
 		if (exact != NULL) {
 			/*
 			 * We are trying to add one that exists, which is only
@@ -3306,6 +3411,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_control *sd_propagation_control;
 	struct ldb_control *fix_links_control = NULL;
 	struct ldb_control *fix_dn_name_control = NULL;
+	struct ldb_control *fix_dn_sid_control = NULL;
 	struct replmd_private *replmd_private =
 		talloc_get_type(ldb_module_get_private(module), struct replmd_private);
 
@@ -3451,6 +3557,44 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
+	fix_dn_sid_control = ldb_request_get_control(req,
+					DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID);
+	if (fix_dn_sid_control != NULL) {
+		const struct dsdb_attribute *sa = NULL;
+
+		if (msg->num_elements != 1) {
+			talloc_free(ac);
+			return ldb_module_operr(module);
+		}
+
+		if (msg->elements[0].flags != LDB_FLAG_MOD_ADD) {
+			talloc_free(ac);
+			return ldb_module_operr(module);
+		}
+
+		if (msg->elements[0].num_values != 1) {
+			talloc_free(ac);
+			return ldb_module_operr(module);
+		}
+
+		sa = dsdb_attribute_by_lDAPDisplayName(ac->schema,
+				msg->elements[0].name);
+		if (sa == NULL) {
+			talloc_free(ac);
+			return ldb_module_operr(module);
+		}
+
+		if (sa->dn_format != DSDB_NORMAL_DN) {
+			talloc_free(ac);
+			return ldb_module_operr(module);
+		}
+
+		fix_dn_sid_control->critical = false;
+		ac->fix_link_sid = true;
+
+		goto handle_linked_attribs;
+	}
+
 	ldb_msg_remove_attr(msg, "whenChanged");
 	ldb_msg_remove_attr(msg, "uSNChanged");
 
@@ -3471,6 +3615,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
 		return ret;
 	}
 
+ handle_linked_attribs:
 	ret = replmd_modify_handle_linked_attribs(module, replmd_private,
 						  ac, msg, t, req);
 	if (ret != LDB_SUCCESS) {
--- a/source4/dsdb/samdb/ldb_modules/samldb.c	
+++ a/source4/dsdb/samdb/ldb_modules/samldb.c	
@@ -3770,9 +3770,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
 	el = ldb_msg_find_element(ac->msg, "member");
 	if (el != NULL) {
-		ret = samldb_member_check(ac);
-		if (ret != LDB_SUCCESS) {
-			return ret;
+		struct ldb_control *fix_link_sid_ctrl = NULL;
+
+		fix_link_sid_ctrl = ldb_request_get_control(ac->req,
+					DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID);
+		if (fix_link_sid_ctrl == NULL) {
+			ret = samldb_member_check(ac);
+			if (ret != LDB_SUCCESS) {
+				return ret;
+			}
 		}
 	}
 
-- 
 the primaryGroupID field
---
 .../samba4.blackbox.test_primary_group        |  2 --
 source4/dsdb/samdb/ldb_modules/samldb.c       | 29 ++++++++++++++-----
 2 files changed, 21 insertions(+), 10 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba4.blackbox.test_primary_group
--- a/selftest/knownfail.d/samba4.blackbox.test_primary_group	
+++ a/selftest/knownfail.d/samba4.blackbox.test_primary_group	
@@ -1,2 +0,0 @@ 
-^samba4.blackbox.test_primary_group.dbcheck.*run1
-^samba4.blackbox.test_primary_group.dbcheck.*run2
--- a/source4/dsdb/samdb/ldb_modules/samldb.c	
+++ a/source4/dsdb/samdb/ldb_modules/samldb.c	
@@ -1642,9 +1642,14 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	struct ldb_result *res, *group_res;
 	struct ldb_message_element *el;
 	struct ldb_message *msg;
+	uint32_t search_flags =
+		DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_EXTENDED_DN;
 	uint32_t prev_rid, new_rid, uac;
 	struct dom_sid *prev_sid, *new_sid;
 	struct ldb_dn *prev_prim_group_dn, *new_prim_group_dn;
+	const char *new_prim_group_dn_ext_str = NULL;
+	struct ldb_dn *user_dn = NULL;
+	const char *user_dn_ext_str = NULL;
 	int ret;
 	const char * const noattrs[] = { NULL };
 
@@ -1658,10 +1663,15 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	/* Fetch information from the existing object */
 
 	ret = dsdb_module_search_dn(ac->module, ac, &res, ac->msg->dn, attrs,
-				    DSDB_FLAG_NEXT_MODULE, ac->req);
+				    search_flags, ac->req);
 	if (ret != LDB_SUCCESS) {
 		return ret;
 	}
+	user_dn = res->msgs[0]->dn;
+	user_dn_ext_str = ldb_dn_get_extended_linearized(ac, user_dn, 1);
+	if (user_dn_ext_str == NULL) {
+		return ldb_operr(ldb);
+	}
 
 	uac = ldb_msg_find_attr_as_uint(res->msgs[0], "userAccountControl", 0);
 
@@ -1725,7 +1735,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	ret = dsdb_module_search(ac->module, ac, &group_res,
 				 ldb_get_default_basedn(ldb),
 				 LDB_SCOPE_SUBTREE,
-				 noattrs, DSDB_FLAG_NEXT_MODULE,
+				 noattrs, search_flags,
 				 ac->req,
 				 "(objectSid=%s)",
 				 ldap_encode_ndr_dom_sid(ac, prev_sid));
@@ -1745,7 +1755,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	ret = dsdb_module_search(ac->module, ac, &group_res,
 				 ldb_get_default_basedn(ldb),
 				 LDB_SCOPE_SUBTREE,
-				 noattrs, DSDB_FLAG_NEXT_MODULE,
+				 noattrs, search_flags,
 				 ac->req,
 				 "(objectSid=%s)",
 				 ldap_encode_ndr_dom_sid(ac, new_sid));
@@ -1758,11 +1768,16 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
 	new_prim_group_dn = group_res->msgs[0]->dn;
+	new_prim_group_dn_ext_str = ldb_dn_get_extended_linearized(ac,
+							new_prim_group_dn, 1);
+	if (new_prim_group_dn_ext_str == NULL) {
+		return ldb_operr(ldb);
+	}
 
 	/* We need to be already a normal member of the new primary
 	 * group in order to be successful. */
 	el = samdb_find_attribute(ldb, res->msgs[0], "memberOf",
-				  ldb_dn_get_linearized(new_prim_group_dn));
+				  new_prim_group_dn_ext_str);
 	if (el == NULL) {
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
@@ -1774,8 +1789,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	}
 	msg->dn = new_prim_group_dn;
 
-	ret = samdb_msg_add_delval(ldb, msg, msg, "member",
-				   ldb_dn_get_linearized(ac->msg->dn));
+	ret = samdb_msg_add_delval(ldb, msg, msg, "member", user_dn_ext_str);
 	if (ret != LDB_SUCCESS) {
 		return ret;
 	}
@@ -1793,8 +1807,7 @@ static int samldb_prim_group_change(struct samldb_ctx *ac)
 	}
 	msg->dn = prev_prim_group_dn;
 
-	ret = samdb_msg_add_addval(ldb, msg, msg, "member",
-				   ldb_dn_get_linearized(ac->msg->dn));
+	ret = samdb_msg_add_addval(ldb, msg, msg, "member", user_dn_ext_str);
 	if (ret != LDB_SUCCESS) {
 		return ret;
 	}
-- 
 current backlink behaviour
---
 .../samdb/ldb_modules/linked_attributes.c     | 18 +++++++++++++-
 .../dsdb/samdb/ldb_modules/repl_meta_data.c   | 24 ++++++++++++++-----
 testprogs/blackbox/test_primary_group.sh      |  6 ++++-
 3 files changed, 40 insertions(+), 8 deletions(-)
--- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c	
+++ a/source4/dsdb/samdb/ldb_modules/linked_attributes.c	
@@ -25,7 +25,23 @@ 
  *
  *  Component: ldb linked_attributes module
  *
- *  Description: Module to ensure linked attribute pairs remain in sync
+ *  Description: Module to ensure linked attribute pairs (i.e. forward-links
+ *  and backlinks) remain in sync.
+ *
+ *  Backlinks are 'plain' links (without extra metadata). When the link target
+ *  object is modified (e.g. renamed), we use the backlinks to keep the link
+ *  source object updated. Note there are some cases where we can't do this:
+ *    - one-way links, which don't have a corresponding backlink
+ *    - two-way deactivated links, i.e. when a user is removed from a group,
+ *      the forward 'member' link still exists (but is inactive), however, the
+ *      'memberOf' backlink is deleted.
+ *  In these cases, we can end up with a dangling forward link which is
+ *  incorrect (i.e. the target has been renamed or deleted). We have dbcheck
+ *  rules to detect and fix this, and cope otherwise by filtering at runtime
+ *  (i.e. in the extended_dn module).
+ *
+ *  See also repl_meta_data.c, which handles updating links for deleted
+ *  objects, as well as link changes received from another DC.
  *
  *  Author: Andrew Bartlett
  */
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
+++ a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c	
@@ -4367,6 +4367,10 @@ static int replmd_delete_internals(struct ldb_module *module, struct ldb_request
 	     - preserved if in above list, or is rDN
 	  - remove all linked attribs from this object
 	  - remove all links from other objects to this object
+	    (note we use the backlinks to do this, so we won't find one-way
+	     links that still point to this object, or deactivated two-way
+	     links, i.e. 'member' after the user has been removed from the
+	     group)
 	  - add lastKnownParent
 	  - update replPropertyMetaData?
 
@@ -4488,12 +4492,12 @@ static int replmd_delete_internals(struct ldb_module *module, struct ldb_request
 
 			if (sa->linkID & 1) {
 				/*
-				  we have a backlink in this object
-				  that needs to be removed. We're not
-				  allowed to remove it directly
-				  however, so we instead setup a
-				  modify to delete the corresponding
-				  forward link
+				 * we have a backlink in this object
+				 * that needs to be removed. We're not
+				 * allowed to remove it directly
+				 * however, so we instead setup a
+				 * modify to delete the corresponding
+				 * forward link
 				 */
 				ret = replmd_delete_remove_link(module, schema,
 								replmd_private,
--