The value of NSS_WRAPPER_HOSTNAME needs to match value we put into the NSS_WRAPPER_HOSTS file. We had a mismatch of idmapridmember.samba.example.com vs. idmapridmember.addom.samba.example.com This causes getaddrinfo() in nss_wrapper to fallback to the libc version, which talks to a dns server. It's not clear if recent glibc code will reach resolve/socket wrapper. So it's not unlikely that idmapridmember.samba.example.com will be passed via the internet, which causes delays up to 20 seconds.
This bug was referenced in samba master: 53f0a292f8057a63ddee951058e380b43b9d2916
Created attachment 17962 [details] Patch for v4-18-test
This bug was referenced in samba v4-18-test: d4b86186d293c80682b4e2189b8dbbec4572a9e8
This bug was referenced in samba v4-18-stable (Release samba-4.18.4): d4b86186d293c80682b4e2189b8dbbec4572a9e8
Closing out bug report. Thanks!