samba - Jul 2014 - winbind SID S-1-5-18 mapping inconsistency with roaming profiles

4.1.9
Hi
We have an id mapping problem with one SID in particular:
wbinfo --sid-to-name=S-1-5-18
NT AUTHORITY\SYSTEM 5

With the ranges specified in our smb.conf, the mapping is not derived
from the idmap db.

Here is a user stevec who has just logged out of windows and had his
profile written for the first time:
# file: stevec/
# owner: stevec
# group: domain\040users
user::rwx
user:stevec:rwx
group::--x
group:19905:rwx
group:domain\040users:---
mask::rwx
other::--x
default:user::rwx
default:user:stevec:rwx
default:group::---
default:group:19905:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

Under our config, SID S-1-5-18 is mapped to 19905
But in idmap.ldb this is:
 record 51
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid: S-1-5-18
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18

If a second DC is consulted, S-1-5-18 is mapped to a different id so our
workaround of cosistent BUILTIN mapping (by transferring idmap.ldb from
the main DC to and subsequent DCs before the subsequent DCs are started)
doesn't work and the roaming profile fails.

Unless we can remove the * range of winbind and use ONLY the domain
range, we can't work around this. Can we? If we are using romaing
profiles, we cannot use winbind.

Problem: we cannot include the BUILTINs in the range specified for AD as
is dictated by the idmap db.

 [global]
workgroup = HH3
netbios name = SMBCLUSTER
realm = HH3.SITE
security = ADS
kerberos method = secrets and keytab
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 19900-19999
idmap config HH3 : backend  = ad
idmap config HH3 : range = 20000-4000000
idmap config HH3 : schema_mode = rfc2307
clustering = Yes
ctdbd socket = /var/lib/ctdb/ctdb.socket

[users]
path = /cluster/users
read only = No

[profiles]
path = /cluster/profiles
read only = No

Qn. 1. Is it possible to include the BUILTIN groups in AD (a schema
extension perhaps?) so we can avoid the external mapping?
2. Will the proposal of some kind of hard coded mapping for the BUILTINs
be included soon?

there is a possible workaround we think but editing the xidNuber in the
idmap db to the value which winbind applies, but this involves changng
the CN=CONFIG limits object too. I'm not sure what the consequences of
changing those limits are save to say that we are not confident to go
public with it, even though so far our tests have held up: adding new
users and groups seem OK, but. . .

Any thought or ideas most welcome.
Cheers,
Steve