samba - Nov 2004 - Samba 3.0.8 on Solaris with AD group

I have the following configuration:

Solaris 9 (patch 112960-10 applied)
Samba 3.0.8 (configure --with-ads --with-pam --with-winbind)
MIT Kerberos 1.3.5 (configure --enable-dns --enable-dns-for-kdc
--enable-dns-for-realm --without-tcl)

I am using Samba to share files to our Windows users via a Samba share,
security = ads.  All the shares work just fine.

Here is the relevant section of my smb.conf file:

  [global]
            workgroup = FFFC
            realm = FFFC.COM
            server string = Fileshare
            security = ads
            password server = *
            log level = 2
            log file = /var/log/samba/%m.log
            min protocol = NT1
            time server = Yes
            change notify timeout = 300
            deadtime = 7
            socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
            load printers = No
            os level = 99
            domain master = No
            ldap ssl = no
            idmap uid = 50000-59999
            idmap gid = 50000-59999
            winbind separator = +
            winbind cache time = 10
            winbind nested groups = Yes
            hide unreadable = Yes
            delete veto files = Yes
            inherit acls = Yes
            inherit permissions = Yes
            wins server = 10.1.240.90 10.1.240.91
            use spnego = Yes

  [exlist$]
            comment = Test share
            path = /export/smbfiles/exlist
            create mask = 0777
            directory mask = 0777
            security mask = 0777
            force group = root
            force user = root
            writeable = Yes
            read only = No
            valid users = FFFC+Citrix_Base
            write list = FFFC+Citrix_Base
            veto files
/*.?pg/*.avi/favicon.ico/robots.txt/.htaccess/*.wm*/.rhosts/*.rm/*.mp?/*.asf
/*.wav/*.?peg/*.midi/*.aif*/*.au/*.as?/*.wpl/
            hide files = /Thumbs.db/.*/
            dos filetimes = Yes

The problem that I am having is that some groups can not be accessed by a
`getent group` command.

I can see the group with wbinfo:

  $ wbinfo -g | grep FFFC+Citrix_Base
  FFFC+Citrix_Base

  $ wbinfo -n FFFC+Citrix_Base
  S-1-5-21-393102617-441343358-1233803906-9715 Domain Group (2)

  $ wbinfo -Y S-1-5-21-393102617-441343358-1233803906-9715
  50308

  $ wbinfo -G 50308
  S-1-5-21-393102617-441343358-1233803906-9715

As you can clearly see, FFFC+Citric_Base is a valid Active Directory group.
But when I use `getent`, I get different numbers of groups:

  $ wbinfo -g | wc -l
     327
  $ getent group | awk -F: '{print $1}'|wc -l
     315

Also, when I try to view the group with a `getent` command, winbindd seems
to hang.  

  $ getent group FFFC+Citrix_Base

I left it for three hours and it still did not return the group.

The group FFFC+Citrix_Base contains a lot of users (more than 500 for sure,
possibly more than 1000).

This is preventing me from using FFFC+Citrix_Base as a way to control access
to this share.

Does anyone have any insight or better yet, a solution to this problem?

I see that 3.0.9 has just been released.  I may try that but looking at the
release notes, it does not appear that this problem is addressed by 3.0.9.

Thank you in advance.

Mark.