diff --git a/selftest/knownfail.d/bug-10319 b/selftest/knownfail.d/bug-10319
deleted file mode 100644
index 0218e6bda53..00000000000
--- a/selftest/knownfail.d/bug-10319
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind\(fl2008r2dc\)
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 544a5f6a88c..df5126b7a7d 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -889,6 +889,9 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
 	const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
 	const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
 
+	const char * const _domain_attrs_sid[] = { "ncName", "dnsRoot", NULL};
+	const char * const _result_attrs_sid[] = { "objectSid", NULL};
+
 	const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
 	const char * const _result_attrs_none[] = { NULL};
 
@@ -923,6 +926,10 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
 		domain_attrs = _domain_attrs_spn;
 		result_attrs = _result_attrs_spn;
 		break;
+	case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:
+		domain_attrs = _domain_attrs_sid;
+		result_attrs = _result_attrs_sid;
+		break;
 	default:
 		domain_attrs = _domain_attrs_none;
 		result_attrs = _result_attrs_none;
@@ -1271,12 +1278,25 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
 		}
 		return WERR_OK;
 	}
-	case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:	
-	case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
+	case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:	{
 		info1->dns_domain_name = NULL;
 		info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
 		return WERR_OK;
 	}
+	case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
+		const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
+
+		if (sid == NULL) {
+			info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
+			return WERR_OK;
+		}
+
+		info1->result_name = dom_sid_string(mem_ctx, sid);
+		W_ERROR_HAVE_NO_MEMORY(info1->result_name);
+
+		info1->status = DRSUAPI_DS_NAME_STATUS_OK;
+		return WERR_OK;
+	}
 	case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
 		info1->result_name = ldb_msg_find_attr_as_string(result, "userPrincipalName", NULL);
 		if (!info1->result_name) {
@@ -1487,6 +1507,12 @@ NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_OK;
 	}
 
+	/*
+	 * Here we only consider a subset of the possible name forms listed in
+	 * [MS-ADTS] 5.1.1.1.1, and we don't retry with a different name form if
+	 * the first attempt fails.
+	 */
+
 	if (strchr_m(name, '=')) {
 		format_offered = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
 	} else if (strchr_m(name, '@')) {
@@ -1495,6 +1521,8 @@ NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
 		format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
 	} else if (strchr_m(name, '/')) {
 		format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
+	} else if ((name[0] == 'S' || name[0] == 's') && name[1] == '-') {
+		format_offered = DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
 	} else {
 		return NT_STATUS_NO_SUCH_USER;
 	}
diff --git a/source4/torture/drs/python/cracknames.py b/source4/torture/drs/python/cracknames.py
index e4884ea0f63..f2446050d8c 100644
--- a/source4/torture/drs/python/cracknames.py
+++ b/source4/torture/drs/python/cracknames.py
@@ -60,8 +60,7 @@ class DrsCracknamesTestCase(drs_base.DrsBaseTestCase):
             drsuapi.DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
             drsuapi.DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
             drsuapi.DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
-            # We currently don't support this
-            # drsuapi.DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
+            drsuapi.DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
             # This format is not supported by Windows (or us)
             # drsuapi.DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN,
         }
diff --git a/source4/torture/rpc/drsuapi_cracknames.c b/source4/torture/rpc/drsuapi_cracknames.c
index f23c33fed7f..102f9664b3a 100644
--- a/source4/torture/rpc/drsuapi_cracknames.c
+++ b/source4/torture/rpc/drsuapi_cracknames.c
@@ -129,7 +129,6 @@ static bool test_DsCrackNamesMatrix(struct torture_context *tctx,
 			break;
 		case DRSUAPI_DS_NAME_FORMAT_UNKNOWN:	/* should fail as we ask server to convert to Unknown format */
 		case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:	
-		case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:	
 			if (r.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR) {
 				err_msg = talloc_asprintf(mem_ctx,
 						"Unexpected error (%d): This name lookup should fail",
@@ -156,7 +155,6 @@ static bool test_DsCrackNamesMatrix(struct torture_context *tctx,
 			n_from[i] = service_principal_name;
 			break;
 		case DRSUAPI_DS_NAME_FORMAT_UNKNOWN:
-		case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:	
 		case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:	
 			n_from[i] = NULL;
 			break;