When (for some reason) a user's tokenGroups attribute is not available, winbindd
falls back from lookup_usergroups() to lookup_usergroups_alt()
lookup_usergroups_alt() is buggy - as it does not manually recurse over all the
groups. (It only does a single level lookup, and therefore misses groups in
groups). This may not be possible, given what groups are on what servers.
Both these functions are ADS LDAP functions. The fallback is between two
different questions we can ask ADS.
The fallback is less efficient, particularly now that we find the need to
closing old bugs. relying on the PAC or Samlogon() reply is really the only valid solution.