[Samba] 3.6 member to 2008 AD, winbind integration, users sometimes lose group membership

[Jason Harris]

We've had linux fileservers in our org for a long time and this roughly 
coincided with version 3.6.

Our linux member servers are winbound, filesystems are ext2+ with acl 
support and permissions assigned to AD groups via setfacl.

At any given time, out of all the users that use the fileshares daily 
there are about 1-2 that get "access denied" by the client os (win xp, 7 
and 8).

I can log into the linux host, su into the denied account, and verify 
that it is denied locally too, so the issue is not with smb share, but 
with winbind/ad/filesystem acl.

id and getent will show that the group membership of the denied user is 
"missing" some groups, namely the ones that are needed to access the 
directory in question.  After checking with other accounts it seems like 
samba loses group enumeration more commonly.  Only by luck are the bulk 
of users successfully able to access the files they need to.

Upon further examination, it seems as though it is random; 100 servers 
with the same exact config file (save for server name) will all do 
groups correctly except for one.  After a month, it will change and 
another server will misbehave while the first will "fix" itself.

Is this the correct forum to ask for help ?  If not, where can I go ?

Thanks all,
Jason Harris