This has been happening throughout the Samba 3.6.x series.
I run Debian Squeeze with backports, so I'm on Samba 3.6.6 now.
Here's the setup:
Host machine runs Samba as a file server. Guest VM runs an ADC under Windows Server 2008 R2 or Windows Server 2012, with Domain Functional Level at 2008 R2 or 2012, respectively (the problem existed in both Windows versions).
The host is bound to the AD as a member server based on these excellent instructions:
Basically, after I do a 'net ads join', I can enumerate users and groups properly, but after several hours or days, something breaks. Custom groups that I created in AD still seem to enumerate properly, but not the built-in ones:
groups=16777729(HOSTBOX\none),16778331(vpn users),16778322(desktop admins),16778340(mpd consulting),16777217
Those 'HOSTBOX\none' entries should be resolving to AD builtins like 'domain users', and they do for a while, until they don't. Once they break, my rights to files from Windows to the Samab server with permissions set to the builtins get messed up.
#wbinfo -g still shows the group names for the builtins.
Below is the output from 'testparm' Please let me know what config dumps or logs you'd like to diagnose this further.
workgroup = MYDOMAIN
realm = MYDOMAIN.NET
server string = %h
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1024
max protocol = SMB2
dns proxy = No
panic action = /usr/share/samba/panic-action %d
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 16777216-33554431 # Same as Red Hat Enterprise, for consistency
idmap config * : default = yes
idmap config * : backend = rid
use sendfile = Yes