1 files changed, 33 insertions, 4 deletions

diff --git a/source3/passdb/pdb_util.c b/source3/passdb/pdb_util.c
index 31fd018e8c..bf7b2b8abd 100644
--- a/source3/passdb/pdb_util.c
+++ b/source3/passdb/pdb_util.c
@@ -26,6 +26,7 @@
 #include "../libcli/security/security.h"
 #include "passdb.h"
 #include "lib/winbind_util.h"
+#include "../librpc/gen_ndr/idmap.h"
 
 /**
  * Add sid as a member of builtin_sid.
@@ -72,16 +73,44 @@ NTSTATUS pdb_create_builtin(uint32_t rid)
 	NTSTATUS status = NT_STATUS_OK;
 	struct dom_sid sid;
 	gid_t gid;
+	bool mapresult;
 
 	if (!sid_compose(&sid, &global_sid_Builtin, rid)) {
 		return NT_STATUS_NO_SUCH_ALIAS;
 	}
 
-	if (!sid_to_gid(&sid, &gid)) {
-		if (!lp_winbind_nested_groups() || !winbind_ping()) {
-			return NT_STATUS_PROTOCOL_UNREACHABLE;
+	if (!pdb_is_responsible_for_builtin()) {
+		/*
+		 * if this backend is not responsible for BUILTIN
+		 *
+		 * Use the gid from the mapping request for entry.
+		 * If the mapping fails, bail out
+		 */
+		mapresult = sid_to_gid(&sid, &gid);
+		if (!mapresult) {
+			status = NT_STATUS_NO_SUCH_GROUP;
+		} else {
+			status = pdb_create_builtin_alias(rid, gid);
+		}
+	} else {
+		/*
+		 * this backend is responsible for BUILTIN
+		 *
+		 * a failed mapping result means that the entry
+		 * does not exist yet, so create it
+		 *
+		 * we use pdb_sid_to_id intentionally here to
+		 * directly query the passdb backend (sid_to_gid
+		 * would finally do the same)
+		 */
+		struct unixid id;
+		mapresult = pdb_sid_to_id(&sid, &id);
+		if (!mapresult) {
+			if (!lp_winbind_nested_groups() || !winbind_ping()) {
+				return NT_STATUS_PROTOCOL_UNREACHABLE;
+			}
+			status = pdb_create_builtin_alias(rid, 0);
 		}
-		status = pdb_create_builtin_alias(rid, 0);
 	}
 	return status;
 }