I am authenticating users against active directory using samba/winbind but I notice that when doing
id someuser
it only shows the user as belonging to one group, by default domain users.

I know I can change the primary group in ad to change this but what I really want is for the users to belong to serveral groups instead so that I can give them access to various things by group memberships.

Is is possible to have the domain users belong to multiple groups? Is so how?

What have you done regarding group memberships and using them to assign permissions to files or shares?