If a user or group of a trusted domain is member of a group in the local domain, we currently ignore that and don't include the required group sid to the users security token.
This is fixed in master and 4.9