samba - Nov 2017 - samba-winbind trust domain user issue.

Hi all,
    we are facing a strange issue about  trust domain user issue.
    In the beginning. we are using  samba-winbind integrated with  Window
AD(Server 2012r2 and Server 2008R2), they are working pretty well.
    but recently， the winbind client cloud not get the correct trust
domian's user group info as well,
    like: id A\\user  only show:
   uid=16077216(A\user) gid=16077216(A\domain users)
groups=16077216(A\domain users)
   there should be more groups.
   and we try both version of samba.
   from wbinfo --online-status
 the samba Version 3.6.23-36.el6_8 show: domain A online
 and when we try login via A\\user.  it will show below error message:
Nov 22 15:21:27 sysops01 sshd[3027]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx  user=A\user
Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): getting
password (0x00000210)
Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): pam_get_item
returned a password
Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11),
NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked
out
Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): internal
module error (retval = PAM_MAXTRIES(11), user = 'A\user')
Nov 22 15:21:28 sysops01 sshd[3027]: Failed password for A\user from xxxxx
port 34760 ssh2
Nov 22 15:24:05 sysops01 sshd[3417]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx  user=A\user
Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): getting
password (0x00000210)
Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): pam_get_item
returned a password
Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11),
NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked
out
Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): internal
module error (retval = PAM_MAXTRIES(11), user = 'A\user')
Nov 22 15:24:07 sysops01 sshd[3417]: Failed password for A\user from xxxxx
port 34770 ssh2

I am sure A\user is not locked. it's so strange.

 and samba Version 4.6.2 show domain A offline, but still can do id stuff.

 what we have changed was upgrade Server2008R2 to Server 2016. I don't know
if this impact.(and we couldn't downgrade the windows so far)
and below are what we have try,
leave domain and rejoin.  not working.
clean  samba cache.  not working.
build new server and join to the AD.  not working.


anyone know anythings about this problem?  thank you.