smbd operation with no link to domain controller

[Uri Simchoni]

Hi,
I tested a NAS device in an environment in which the connection to the domain controller goes on and off. Theoretically, clients with cached Kerberos tickets should be able to work, because the Kerberos PAC includes all the information about the user, and the id-mapping is based on rids - no communication is required.
However in practice, I noticed that in some cases it doesn't work. I discovered that smbd verifies for each group SID in the PAC that it is, in fact, a group SID. This verification involves a possible query of the domain controller, which leads to failure. More often than not, the sid lookup succeeds using cached data, but sometimes the query is required.
Is there a technical reason to perform this extra-verification, rather than trusting the PAC?
Thanks,Uri Simchoni