It appears that the first time we see a uid/gid that winbind can't map,
we end up returning the null sid instead of falling back to the legacy
code. Next time through the code we'll hit the negative cache and do
the right thing, but we still fail the first time.
If we fail the winbind id to sid mapping, call the legacy version. This
catches the case where we don't have a negative cache entry for the mapping.
This is better than returning the NULL sid to the caller.
(cherry picked from commit
c4d05e8e1fc776dd9c528513346256cf35c9f226)