Samba – AD group membership changes not reflected in winbind information

I have inherited several RHEL5 servers that were set up to authenticate users against their AD accounts via winbind. Everything works fine until I update group membership in AD. For some users, the changes never make it to the output of the "groups" command, although they are reflected in the output of "getent group <groupname>".

For example, consider the following:

[root@hcc1pl1 ~]# groups plubans
plubans : domain users systems infrastructure development
[root@hcc1pl1 ~]# getent group q1esb
q1esb:*:23136:q1qai,q1prodi

If I add myself to q1esb on the DC that winbind is using, you can see that the membership is updated:

[root@hcc1pl1 ~]# lsof -i | grep winbind
winbindd 31339 root 17u IPv4 63817934 TCP hcc1pl1:56541->hcnas01:microsoft-ds (ESTABLISHED)
winbindd 31339 root 21u IPv4 63817970 TCP hcc1pl1:53622->hcnas01:ldap (ESTABLISHED)
[root@hcc1pl1 ~]# ldapsearch -u -x -LLL -h hcnas01 -D "plubans@XXX.XXX" -W -b "CN=Peter Lubans,OU=Standard User Accounts,OU=Users,OU=XXX,DC=XXX,DC=XXX" "(sAMAccountName=*)" memberOf
Enter LDAP Password:
…
memberOf: CN=q1esb,OU=Security Groups,OU=Groups,OU=XXX,DC=XXX,DC=XXX
…

Note that winbind is running without caching (-n flag):

[root@hcc1pl1 ~]# ps -ef | grep winbind
root 31339 1 0 13:50 ? 00:00:00 winbindd -n
root 31340 31339 0 13:50 ? 00:00:00 winbindd -n
root 31351 31339 0 13:50 ? 00:00:00 winbindd -n
root 31352 31339 0 13:50 ? 00:00:00 winbindd -n
root 31353 31339 0 13:50 ? 00:00:00 winbindd -n

Now getent shows that that group has the correct members:

[root@hcc1pl1 ~]# getent group q1esb
q1esb:*:23136:q1qai,plubans,q1prodi

But the updated membership is not reflected in my account details:

[root@hcc1pl1 ~]# groups plubans
plubans : domain users systems infrastructure development
[root@hcc1pl1 ~]#

The truly vexing part of this problem is that it works fine for other accounts on this machine, and for my account on machines that I have configured from the ground up.

Any ideas?