Comment 6 for bug 1830117

Interestnig, now I don't have such a setup to debug that on my own.
A few things I wanted to check thou.

Does your samba/windbind have in /etc/samba/smb.conf:
  winbind expand groups = 1
Your positive getent results suggests this works, but I wanted to be sure.

Further I wanted to ask, did you try with lowercase?
Some parts of pam don't like to differentiate here, maybe that got changed in the update.
  sgrp="ngti"

Further I have seen many forms of sgrp with AD.
I don't know if they makes sense at all, but they might be easy and worth try:
  sgrp="domain ngti"
  sgrp="domain NGTI"
  sgrp="domain ngti@YOURDOMAINURL"
  sgrp="YOUDOMAINNAME\ngti^group"
  sgrp="YOUDOMAINNAME\ngti"

Finally, you might try to isolate it we are really looking at a samba/windbing/libpam_mount/... issue.
You could create a new system (16.04) and set it up to work.
Then you could try to upgrade those components individually.
To do so replace xenial with bionic in /etc/apt/sources.list, run `apt update`.
And then instead of a full upgrade try if you e.g. can `apt install libpam_mount` which will drag some new dependencies without upgrading too much else e.g. no samba. Test with that and we know if it actually is in libpam_mount or maybe in another component.
You can do the same for samba/windbind or *pam in general.
Note: This is just for debugging and not generally recommended.

Not sure I can help, but let me know what you find maybe we can find something together.