After upgrade from Debian Squeeze to Debian Wheezy, winbind was upgraded from 3.5 to 3.6.6.
It seems that AD groups are not always there.

The config is :
###############
idmap config * : backend = rid
idmap config * : range = 10000-20000
in replacement of old syntax :
idmap backend = idmap_rid:RMS=10000-20000
idmap uid = 10000-20000


We do the following tests :
###########################
idmap gid = 10000-20000kinit <AD login>
klist
wbinfo -t
wbinfo -u
wbinfo -g
wbinfo -i <RMS login>
getent passwd
net ads info
wbinfo --group-info='domain users'
getent group

Only the last 2 are not working :
the first one gives :failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group domain users

The second one shows only local groups.

Samba logs gives :
##################
  ads_ranged_search failed with: Time limit exceeded
[2013/10/22 20:08:05.598683,  0] winbindd/winbindd_ads.c:1084(lookup_groupmem)
  ads_ranged_search failed with: Time limit exceeded

Winbind installation is
#######################
i  libnss-winbind:i386      2:3.6.6-6         i386              Samba nameservice integration plugins
ii  libpam-winbind:i386      2:3.6.6-6         i386              Windows domain authentication integration plugin
ii  winbind                  2:3.6.6-6         i386              Samba nameservice integration server


The only fix I found is reboot. But if winbind restart, the groups disappear again after a while.

It is very critical for us as some of applications relies on winbind groups to authorize access to users.

All migrated systems don't seem to be affected, for the moment.
We monitor through Nagios the presence of AD groups.
But had to stop migration to Debian Wheezy in waiting for a fix.

It seems to be related to https://bugzilla.samba.org/show_bug.cgi?id=8676 but not sure.