samba - Oct 2006 - wbinfo -r returns only 16 groups (sometimes)

Something we noticed after upgrading from 3.0.14a to 3.0.20 and still a
problem with 3.0.23c on Solaris 9 Sparc. Windows 2003 server running
Active Directory. The examples below are all with 3.0.23c downloaded
last week and compiled from source using gcc 3.3.something. 3.0.14a
works perfectly using the same smb.conf.

We use Samba to do proxy authentication for squid using ntlm_auth and
group membership. The Squid script uses, amongst other commands, wbinfo
-r to see the groups a user is a member of.

Initially, that is when there are no .tdb files in the locks directory,
this works fine and all the groups are returned. We have some users who
are members of more than 40 groups on the PDC. After a while the number
of groups returned is only 16 (and always 16). By coincidence 16 is the
default maximum number of groups a user may be in on Solaris. This
seems to be when group memberships become cached in winbindd_cache.tdb.
The thing is that not all users get limited to 16 groups, some continue
to return the full list of groups.

The only difference I could observe was that the users that returned
only 16 groups had a much shorter entry as shown by tdbdump
winbindd_cache.tdb. In this case the entry looked like this:

{
key(49) = "UG/S-1-5-21-2000478354-1972579041-725345543-36649"
data(104) = 
"\00\00\00\00\1A\5C\DC\02\02\00\00\00.S-1-5-21-2000478354-1972579041-725345543-3
6649,S-1-5-21-2000478354-1972579041-725345543-513"
}

In the case of a user that works correctly the full list of SIDs is
returned by tdbdump. I don't have an example handy for that case.

The smb.conf is very simple as we are essentially using Samba for squid
proxy authentication only:

[global]
        workgroup = AU
        realm = au.example.net
        server string = Samba %v on %h
        local master = no
        wins support = no
        encrypt passwords = yes
        invalid users = root
        security = ads
        username map = /usr/local/etc/smbusers
        password server = adserver1.example.net adserver2.example.net
        winbind uid = 20000-25000
        winbind gid = 20000-25000
        winbind use default domain = yes
        disable netbios = yes
        #log level = 1
        log level = 1 winbind:10

[homes]
        comment = Home Directories
        guest ok = no
        read only = no
        browseable = no

and the contents of log.winbindd at level 10 for a request that
returned only 16 groups:

[2006/10/03 17:09:49, 6] nsswitch/winbindd.c:new_connection(601)
  accepted socket 18
[2006/10/03 17:09:49, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn INTERFACE_VERSION
[2006/10/03 17:09:49, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(474
)
  [    0]: request interface version
[2006/10/03 17:09:49, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2006/10/03 17:09:49, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(507)
  [    0]: request location of privileged pipe
[2006/10/03 17:09:49, 10] nsswitch/winbindd.c:process_request(287)
  process_request: request fn GETGROUPS
[2006/10/03 17:09:49, 3] nsswitch/winbindd_group.c:winbindd_getgroups(991)
  [    0]: getgroups glenn
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1995
)
  Retrieving response for pid 991
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1995
)
  Retrieving response for pid 991
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2017
)
  Retrieving extra data length=93
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1995
)
  Retrieving response for pid 991
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2017
)
  Retrieving extra data length=658
[2006/10/03 17:09:49, 10] nsswitch/winbindd_async.c:gettoken_recvaliases(1088)
  Expanding our own local groups
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1995
)
  Retrieving response for pid 1003
[2006/10/03 17:09:49, 10] nsswitch/winbindd_async.c:getsidaliases_recv(839)
  getsidaliases return 0 SIDs
[2006/10/03 17:09:49, 10] nsswitch/winbindd_async.c:gettoken_recvaliases(1098)
  Expanding our own BUILTIN groups
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1995
)
  Retrieving response for pid 1004
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2017
)
  Retrieving extra data length=14
[2006/10/03 17:09:49, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(6
65)
  find_lookup_domain_from_sid(S-1-5-32-545)
[2006/10/03 17:09:49, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(6
68)
  calling find_domain_from_sid
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1995
)
  Retrieving response for pid 1004
[2006/10/03 17:09:49, 7] nsswitch/winbindd_async.c:idmap_sid2gid_async(370)
  idmap_sid2gid_async: Resolving S-1-5-32-545 to a gid
[2006/10/03 17:09:49, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1995
)
  Retrieving response for pid 1005
[2006/10/03 17:09:49, 10] nsswitch/winbindd_async.c:sid2gid_noalloc_recv(1364)
  found gid for sid S-1-5-32-545 in remote backend

This has rambled on a bit, however, if there's some extra piece of
information that will help then please feel free to ask for it.

regards,
-glenn