see bug 279, my idea on a workaround/solution; I understand this is not a 
bug ; it is caused by a limitation in the unix operating system; however this 
is not a reason not trying to find a solution for it.

as winbind strives to integrate a windows domain with a samba unix member... 
think we should tackle the NGROUPS_MAX limit.

In the case where I have a samba 3 domain MEMBER of a windows Active Directory.

I would be very happy with a facility to setup a groups_mapping.txt file which 
lists all the groups that I want to "accept" on the unix side. The other 
groups that a user may have will simply be filtered out.

On the domain where I'm testing samba as a domain member I find 119 groups 
defined; ofcourse a user does not have all these groups but it is likely that 
for all kind of windows-related reasons a user gets assigned > 16 groups (the 
limit on Solaris 8..!).

For the users accessing my share on unix I'm only interested to test 1 
specific group; the share I'm using will set "force group=+sambagroup" so that 
only windows users that have this specific sambagroup can see and use this 
share and see each other's documents on this share.

If any user has more than 16 groups currently the whole implementation of 
winbind needs to be cancelled in the current version; winbind will become 
unreliable as you never know which groups will be shown in the first 
16 'visible' unix groups and which not...!

A mapping file should never contain more than NGROUPS_MAX entries.

winbind should check NGROUPS_MAX and give a severy warning if any user has 
more than NGROUPS_MAX groups assigned...

something needs to be done on this :--)