This is a feature request more than a bug. It appears that /etc/nsswitch.conf generally allows one to specify which sources of user information shadow others, but this doesn't really work for group information. That is, if I say "passwd: files winbind", user 'foo' in files completely shadows any user 'foo' in winbind, as far as passwd information goes. But, if I say "group: files winbind", it appears that both files and winbind are used to determine the set of secondary groups for a user. What I would like is a way to say that if a user is found in the first source (files) that *only* that source will be used for group information, and that nothing will come from the later source (winbind in this example).
By secondary groups I assume you mean the groups handled by initgroups and getgrouplist. I agree that something better is warranted. Some time ago I added already an initgroups entry to nsswitch.conf. Now I also added code to not proceed to the next service in case of a successful lookup in case the initgroups entry is used. If the nsswitch.conf file only contains an groups entry the behavior doesn't change. The result is in git.