diff -U3 -r samba-3.4.3.orig/nsswitch/winbind_nss_linux.c samba-3.4.3/nsswitch/winbind_nss_linux.c
--- samba-3.4.3.orig/nsswitch/winbind_nss_linux.c	2009-10-29 00:47:16.000000000 -0700
+++ samba-3.4.3/nsswitch/winbind_nss_linux.c	2009-11-18 10:07:52.000000000 -0800
@@ -1034,6 +1034,17 @@
 		user, group);
 #endif
 
+	/* Don't initialize supplementary groups for root, so core services
+	   initialized as root won't hang if winbind is waiting on something */
+	if (!strcmp(user, "root")) {
+#ifdef DEBUG_NSS
+		fprintf(stderr, "[%5d]: initgroups ignoring user 'root'\n",
+			getpid());
+#endif
+		ret = NSS_STATUS_SUCCESS;
+		goto done;
+	}
+
 #if HAVE_PTHREAD
 	pthread_mutex_lock(&winbind_nss_mutex);
 #endif
diff -U3 -r samba-3.4.3.orig/source3/include/proto.h samba-3.4.3/source3/include/proto.h
--- samba-3.4.3.orig/source3/include/proto.h	2009-10-29 00:47:16.000000000 -0700
+++ samba-3.4.3/source3/include/proto.h	2009-11-18 09:59:40.000000000 -0800
@@ -3971,6 +3971,7 @@
 bool lp_winbind_offline_logon(void);
 bool lp_winbind_normalize_names(void);
 bool lp_winbind_rpc_only(void);
+const char **lp_winbind_initgroups_ignoreusers(void);
 const char **lp_idmap_domains(void);
 const char *lp_idmap_backend(void);
 char *lp_idmap_alloc_backend(void);
diff -U3 -r samba-3.4.3.orig/source3/param/loadparm.c samba-3.4.3/source3/param/loadparm.c
--- samba-3.4.3.orig/source3/param/loadparm.c	2009-10-29 00:47:16.000000000 -0700
+++ samba-3.4.3/source3/param/loadparm.c	2009-11-18 09:59:40.000000000 -0800
@@ -350,6 +350,7 @@
 	int cups_connection_timeout;
 	char *szSMBPerfcountModule;
 	bool bMapUntrustedToDomain;
+	char **szWinbindInitgroupsIgnoreusers;
 };
 
 static struct global Globals;
@@ -4568,6 +4569,15 @@
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "winbind initgroups ignoreusers",
+		.type		= P_LIST,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.szWinbindInitgroupsIgnoreusers,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{NULL,  P_BOOL,  P_NONE,  NULL,  NULL,  NULL,  0}
 };
@@ -5336,6 +5346,7 @@
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
 FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
 FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
+FN_GLOBAL_LIST(lp_winbind_initgroups_ignoreusers, &Globals.szWinbindInitgroupsIgnoreusers)
 
 FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
 FN_GLOBAL_STRING(lp_idmap_alloc_backend, &Globals.szIdmapAllocBackend)
diff -U3 -r samba-3.4.3.orig/source3/winbindd/winbindd_group.c samba-3.4.3/source3/winbindd/winbindd_group.c
--- samba-3.4.3.orig/source3/winbindd/winbindd_group.c	2009-10-29 00:47:16.000000000 -0700
+++ samba-3.4.3/source3/winbindd/winbindd_group.c	2009-11-18 10:02:28.000000000 -0800
@@ -1543,6 +1543,8 @@
 	struct getgroups_state *s;
 	char *real_name = NULL;
 	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+	unsigned int i;
+	char **ignoreusers;
 
 	/* Ensure null termination */
 	state->request.data.username
@@ -1551,6 +1553,20 @@
 	DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
 		  state->request.data.username));
 
+	/* Don't even lookup users we want to ignore. */
+
+	ignoreusers = lp_winbind_initgroups_ignoreusers();
+	if (ignoreusers) {
+		for (i = 0; ignoreusers[i] && i < UINT_MAX; i++) {
+			if (!strcmp(ignoreusers[i], state->request.data.username)) {
+				DEBUG(3, ("[%5lu]: getgroups ignoring user %s\n",
+					 (unsigned long)state->pid, state->request.data.username));
+				state->finished = True;
+				return;
+			}
+		}
+	}
+
 	/* Parse domain and username */
 
 	s = TALLOC_P(state->mem_ctx, struct getgroups_state);