[Samba] Why is winbind so slow?!

[ZIGLIO, Frediano, VF-IT]

Hi,
  I installed samba on a large Active Directory. All is working, I use
winbind in pam and everything is working.
However sometime it just hang for a while (say 20 seconds) and then go
without problems.
Currently I increased "winbind cache time" to mitigate the problem.
There are mainly two situation where this hang occur
1- login
2- ls -l
3- groups

I tried to analyze the problem a bit deeply. The hang with case 2 occurs
every 2/3 minutes (without "winbind cache time") so I launched a strace
on winbind and when ls -l hang I see a lot of ldap query !!! Then I
launch tcpdump on ldap port and strace and retry the ls -l test.
Now I do a ls -l in my home directory. My user is an AD user of a
"DOMAIN\Domain Users" main group so ls -l say something like

-rw-r--r--   1 user Domain Users     1234 Xxx XX  2005 file.txt

ls -ln:

-rw-r--r--   1 16804756 16777217     1234 Xxx XX  2005 file.txt

So ls -l should ask which user is 16804756 and which group is 16777217.
Winbind should (IMHO) get SID of 16804756 and 16777217 from local cache
then check  if names are updated in cache and update if necessary. The
problem is that winbind do not simply check for 16777217 name but when
group change it dump many other informations like users in the group and
then for each user in the group it ask for informations. Now all users
in AD (I know is ugly but I don't manage AD) have Domain Users as the
main group so it take very long to get all users list and update every
users. It would be better (at list for my case) that winbind just get
group name and mark "the member list is not correct". 

Is anybody working in this direction? Can I help you in some way?

Regards,
  Frediano Ziglio