phil, winbindd _also_ calls sursswitch. _everything_ should call surs, to convert uid to sid, sid to uid, gid to sid, sid to gid. pam_ntdom, pam_smb, samba, winbind, absolutely everything. the linux kernel, in the ntfs driver (the one with no maintainer so it's going to be dropped in the next version of the linux kernel), too.