[Samba] Unable to update SID using pdbedit

[Cooper S. Blake]

Since I have had trouble getting the net rpc vampire command to
properly migrate passwords, I have been looking into stripping down
the net rpc samdump results into a smbpasswd backend file, then
importing from there into my tdbsam.

The first problem I ran into is that the samdump produces RID values
from the domain, whereas I need it to represent UIDs that already
exist.  No problem, since my local accounts already exist from the
vampire command.  Then I can just update the SID for each account
using pdbedit -U after importing.

The problem I'm having is that I am mostly unable to change the SID
for users.  I tried picking new SIDs at random, and I came across
a few SIDs that would work, but it largely gives me this result:

Unable to modify TDB passwd: NT_STATUS_UNSUCCESSFUL!
Unable to modify entry!

I tried deleting the passdb.tdb, secrets.tdb, and winbindd_idmap.tdb
files, then starting from scratch.  I can create accounts which
get incrementally assigned to 1000, 1001, etc.  But I cannot seem
to manually update the SID.  What are the conditions for this
command?  I have tried running it in the following ways:

pdbedit -U 1005 username
pdbedit -U <full SID> username
pdbedit -r -U <full SID> -u username

Running the command with -d10 does not reveal anything interesting.
So what's the deal with SID reassignment?  There are obviously some
significant restrictions that I'm not aware of.

How exactly does the net rpc vampire command work?  Why would it
successfully import users and groups but not be able to set the
password hashes properly in tdbsam?

thanks,
Cooper