samba - Mar 2014 - Help with winbind getusersids across forests

I am hoping someone can shed some light on this. We have a setup that is using
Active Directory Windows 2008 R2 with  2 domains, A and B. They are across
forests, with a one-way trust between the forests. A is the trusted domain, B is
the trusting domain. We have a 3.6.9 samba server joined to B's  Active
Directory. If we try authenticating from our machine in B's domain as a user
from A given A's domain name, it works. The command used is ntlm_auth. If we
try getting its groups, by calling getusersids in our own patched version of
ntlm_auth, it fails with this message:
>From /var/log/samba/log.winbindd:
[2014/03/19 15:54:13.951576,  3]
winbindd/winbindd_getusersids.c:49(winbindd_getusersids_send)
  getusersids S-1-5-21-3126979147-1297554514-4166189043-1113
[2014/03/19 15:54:13.951645,  1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupUserGroups: struct wbint_LookupUserGroups
          in: struct wbint_LookupUserGroups
              sid                      : *
                  sid                      :
S-1-5-21-3126979147-1297554514-4166189043-1113
[2014/03/19 15:54:25.728717,  1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupUserGroups: struct wbint_LookupUserGroups
          out: struct wbint_LookupUserGroups
              sids                     : *
                  sids: struct wbint_SidArray
                      num_sids                 : 0x00000000 (0)
                      sids: ARRAY(0)
              result                   : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/03/19 15:54:25.728877,  5]
winbindd/winbindd_getusersids.c:94(winbindd_getusersids_recv)

We believe the forests and one way trust is set up correctly, but something
recently changed at the site, where it worked before and doesn't work now.
Either we think a route was disabled between the machine in Domain A talking to
the Domain controller in B or something with smb.conf / krb5.conf changed.
Nothing is standing out as the problem however. Are there specific settings that
need to be added into conf files for doing cross-forest commands for
winbind's getusersids request? Any settings in Active Directory that have to
be set? Is there a different call besides getusersids to get the groups of the
member on A that can be used cross-forest (even though we saw this work earlier
before "something" changed)?

Thanks for any feedback. Also if anyone has pointers on trouble-shooting such
issues, that would be appreciated.