When (for some reason) a user's tokenGroups attribute is not available, winbindd falls back from lookup_usergroups() to lookup_usergroups_alt() lookup_usergroups_alt() is buggy - as it does not manually recurse over all the groups. (It only does a single level lookup, and therefore misses groups in groups). This may not be possible, given what groups are on what servers. Andrew Bartlett
Clarification: Both these functions are ADS LDAP functions. The fallback is between two different questions we can ask ADS. The fallback is less efficient, particularly now that we find the need to manually recurse.
closing old bugs. relying on the PAC or Samlogon() reply is really the only valid solution.