When the rate of requests made by winbindd clients (mostly smbd processes) exceeds winbindd's ability to service those requests, a vicious cycle is created wherein the clients re-open the connection to winbindd in order to retry, winbindd does not cancel the pending request and does not close its end of the client connection, and so more and more requests get piled and more and more client connections get open, until the file descriptor limit is exhausted.
This of course be simulated, but appears to have happened in actual customer setups, in combination with bugs 11259 and 11267 (each session setup requires an ldap query, and the query opens a new connection which involves lengthy handshake with the domain controller)
Created attachment 11253 [details]
This is v6 of a fix that has been circling samba-technical for a while now.
This has been pushed upstream with 2c1c567ee1a59fa7bf09be0ed0554d2dc01cd0b9 and is in Samba 4.3.0 and newer.