PR: https://github.com/truenas/middleware/pull/7511

Background
In a Windows / AD environment, all objects are identified by
SID. SIDs for user / group objects take the form
`S-1-5-21- - `

The component for a SID will vary depending on
whether the account is a local one or one from an external domain.
A domain sid is of the form `S-1-5-21- `, and every
TrueNAS server has a unique domain sid, which is randomly
generated by samba libraries when it is first needed.

Each relative id (rid) uniquely identifies an object in the domain.
Certain rids are present in every domain. Of particular note
for this commit are the following:

```
S-1-5-21- -501 - Guest
S-1-5-21- -512 - Domain Admins
S-1-5-21- -513 - Domain Users
S-1-5-21- -514 - Domain Guests
```

In addition to domain (S-1-5-21) sids, every Windows computer
and Samba server has sids that are identical on every machine
that are prefixed with S-1-5-32 (built-in groups). Of particular note
for this commit are the following:
```
S-1-5-32-544 - Adminstrators
S-1-5-32-545 - Users
S-1-5-32-546 - Guests
```

Since Unix-like servers use uids / gids (xids) to identify users and
groups rather than sids, sids must be mapped into xids and vice-versa.
This task falls on Samba's passdb, groupdb, and winbindd's idmapping
facilities.

During samba startup, if samba's groupdb lacks entries for
Administrators, Users, and Guests, then they will be automatically
added by allocating new gids for each of them from winbindd's idmap
backend that has been configured to provide mappings for built-in
sids. This allocation increments the xid high-water mark in
winbindd_idmap.tdb, (but does not write the explicit mapping in
the key-value store) and then writes the explicit mapping in
group_mapping.tdb.

Windows has the concept of nested groups. Groups in Windows may
have members that are either users or groups. Accordingly, each
groupmap entry in group_mapping.tdb may have zero or more
foreign memberships in it. The following is a sample tdb entry:

```
{
key(23) = "UNIXGROUP/S-1-5-32-546\00"
data(32) = "\83J]\05\04\00\00\00Guests\00Local Unix group\00"
}
{
key(54) = "MEMBEROF/S-1-5-21-944110568-1438105595-1944063070-514\00"
data(13) = "S-1-5-32-546\00"
}
```

In this case, S-1-5-32-546 is mapped to gid 90,000,002 and has
a foreign member of S-1-5-21-944110568-1438105595-1944063070-514.

During the domain-join process, libads adds domain sids as members
of the above built-in groups:
```
S-1-5-21- -512 --> S-1-5-32-544
S-1-5-21- -513 --> S-1-5-32-545
S-1-5-21- -514 --> S-1-5-32-546
```

Which means that when nss_winbind generates a passwd struct for
a domain user, BUILTIN\Users is added to the grouplist with the
gid listed in the group_mapping.tdb.

Problem
There are various situations that can occur where original
mapping for builtins is lost or remapped to different ids
foreign memberships are lost, or id collisions are generated
with other groups allocated in winbindd_idmap.tdb.

Although these built-in groups are not exposed via middleware and
the webui, they are exposed via the SMB protocol and Samba's
RPC endpoints. The most common reason for them to be used is
when robocopy is used to migrate data from a Windows share on
Windows server where the system administrator is using
built-in groups rather than AD groups to share data.

Impact
Impact of potential indetermenancy with the mapping potentially
profound. User tokens may be generated with incorrect ids,
and filesystem ACLs may cease to grant expected access.
If foreign group membership is dropped, then built-in groups
will not appear in passwd entries for AD and local users.

Resolution
When built-in groups are handled by idmap_tdb (default),
ensure that Administrators, Users, and Guests are mapped
explicitly to the lowest three gids in the range that is
specified for the default domain . Use newly-added
json-based batch operations for groupmap to achieve this.
net_groupmap text variant does not allow direct manipulation
of gids in the groupmap file, which creates a chicken-and-egg
problem for mapping built-ins explicitly when there is no
corresponding winbindd_idmap.tdb entry.

Adjust high-water-mark in idmap_tdb to never allocate gids
in this reserved area.

Ensure that local builtin_users, builtin_admins, builtin_guests
groups are mapped to the respective local domain (TrueNAS)
domain users, domain admins, domain guests SIDs.

Ensure that foreign mappings for Administrators, Users, and Guests
always exist.