[Samba] Winbind syslog errors and Domain Local Groups

[(private) HKS]

Hello all.

I'm relatively new to Samba, and haven't been able to track down a
solution to this particular problem.

I use Samba/Winbind to authenticate FreeBSD machines against a
Windows 2003 Active Directory. That all works fine. The problem is
that groups in the AD of type "Security Group - Domain Local" are
causing winbindd a lot of grief. Every time the winbindd daemon is
accessed, it spews syslog messages like these for every Domain
Local group in the AD:

--------------------
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group dhcp users
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group dhcp administrators
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group dnsadmins
Jul  7 16:36:15 testbox winbindd[50492]: [2008/07/07 16:36:15, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(1110)
Jul  7 16:36:15 testbox winbindd[50492]:   could not lookup domain
group debugger users
---------------------

All non-local groups show up just fine in the BSD system. Local
groups do not show up in a getent group.

All groups, including the local ones, show up when I run wbinfo -g.
Running wbinfo -n <localgroup> comes back with a SID:
$ wbinfo -n dnsadmins
<munged-SID> Local Group (4)

This SID is trackable back to a gid:
$ sudo wbinfo --sid-to-gid <munged-SID>
11105

Why, then, are these groups not actually getting populated? Can anyone
shed some light on this?

-HKS