diff -U3 -r samba-3.3.9.orig/source/include/proto.h samba-3.3.9/source/include/proto.h
--- samba-3.3.9.orig/source/include/proto.h	2009-10-12 04:11:53.000000000 -0700
+++ samba-3.3.9/source/include/proto.h	2009-11-17 16:50:38.000000000 -0800
@@ -5693,6 +5693,7 @@
 bool lp_winbind_offline_logon(void);
 bool lp_winbind_normalize_names(void);
 bool lp_winbind_rpc_only(void);
+const char **lp_winbind_initgroups_ignoreusers(void);
 const char **lp_idmap_domains(void);
 const char *lp_idmap_backend(void);
 char *lp_idmap_alloc_backend(void);
diff -U3 -r samba-3.3.9.orig/source/param/loadparm.c samba-3.3.9/source/param/loadparm.c
--- samba-3.3.9.orig/source/param/loadparm.c	2009-10-12 04:11:53.000000000 -0700
+++ samba-3.3.9/source/param/loadparm.c	2009-11-17 17:05:27.000000000 -0800
@@ -343,6 +343,7 @@
 	int iminreceivefile;
 	struct param_opt_struct *param_opt;
 	int cups_connection_timeout;
+	char **szWinbindInitgroupsIgnoreusers;
 };
 
 static struct global Globals;
@@ -4487,6 +4488,15 @@
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "winbind initgroups ignoreusers",
+		.type		= P_LIST,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.szWinbindInitgroupsIgnoreusers,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{NULL,  P_BOOL,  P_NONE,  NULL,  NULL,  NULL,  0}
 };
@@ -5109,6 +5119,7 @@
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
 FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
 FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
+FN_GLOBAL_LIST(lp_winbind_initgroups_ignoreusers, &Globals.szWinbindInitgroupsIgnoreusers)
 
 FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
 FN_GLOBAL_STRING(lp_idmap_alloc_backend, &Globals.szIdmapAllocBackend)
diff -U3 -r samba-3.3.9.orig/source/winbindd/winbindd_group.c samba-3.3.9/source/winbindd/winbindd_group.c
--- samba-3.3.9.orig/source/winbindd/winbindd_group.c	2009-10-12 04:11:53.000000000 -0700
+++ samba-3.3.9/source/winbindd/winbindd_group.c	2009-11-17 17:14:58.000000000 -0800
@@ -1543,6 +1543,8 @@
 	struct getgroups_state *s;
 	char *real_name = NULL;
 	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+	unsigned int i;
+	char **ignoreusers;
 
 	/* Ensure null termination */
 	state->request.data.username
@@ -1551,6 +1553,19 @@
 	DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
 		  state->request.data.username));
 
+	/* Don't even lookup users we want to ignore. */
+	ignoreusers = lp_winbind_initgroups_ignoreusers();
+	if (ignoreusers) {
+		for (i = 0; ignoreusers[i] && i < UINT_MAX; i++) {
+			if (!strcmp(ignoreusers[i], state->request.data.username)) {
+				DEBUG(3, ("[%5lu]: getgroups ignoring user %s\n",
+					 (unsigned long)state->pid, state->request.data.username));
+				state->finished = True;
+				return;
+			}
+		}
+	}
+
 	/* Parse domain and username */
 
 	s = TALLOC_P(state->mem_ctx, struct getgroups_state);