After days of samba studying, finally have some hint on UID-SID mapping problem, it is related to overlapping SID in multiple domain case, for example, DOMAINA\fai has SID of x-x-x-x-1001 but DOMAINB\fai has SID of y-y-y-y-1001, it is different in the point of view of Windows, but it is the same in samba, so winbind will assign DOMAINB\fai another UID in Linux side, which is unpredictable and inconsistent.
The worst thing is, even there is only one domain, different servers may got different mapping due to UID collision, to make it consistent, we need to use RID method in samba configuration, by:
idmap backend = rid:"DOMAINA=16777216-33554431"
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
But it doesn't work for multiple domain, to entertain multiple domain case, use this:
idmap domains = DOMAINA DOMAINB
idmap config DOMAINA:default = yes
idmap config DOMAINA:backend = rid
idmap config DOMAINB:backend = rid
idmap config DOMAINA:base_rid = 1000
idmap config DOMAINB:base_rid = 1000
idmap config DOMAINA:range = 10000-19999
idmap config DOMAINB:range = 20000-29999
Together with idmap uid and idmap gid range, this can avoid any collision and make the UID-SID mapping consistent all the time.
Source: http://www.mail-archive.com/samba@lists.samba.org/msg95890.html