[Samba] getent group Issues, no groups available

[Sascha Kasch]

Dear list users,

currently i am despairing of winbind or nss and hopefully someone sees 
what i have overlooked.

[problem is getent group does not work nor does chgrp <domgroup> work. 
chown <domuser> works]

i have a samba pdc 3.5.6 on squeeze with ldap managed accounts. the pdc 
is working as expected.
now i wanted to add a samba domain member with the following config:

[global]
workgroup = albertbauer.com
log file = /var/log/samba/log.%m
log level = 6
max log size = 10000
syslog = 0
case sensitive = no
pam password change = no
unix password sync = no
encrypt passwords = true
security = domain
socket options = TCP_NODELAY
guest account = nobody
idmap uid = 10000-20000
idmap gid = 10000-20000
hide special files = Yes
hide unreadable = Yes
map acl inherit = Yes
printcap name = cups
inherit permissions = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
map untrusted to domain = yes

added the server with net rpc join flawlessly.
wbinfo -u and -g work as expected an list existing users via winbind.
my nssswitch.conf:

passwd: compat winbind
group: compat winbind
shadow: compat

and here comes the problem: getent passwd is willing to list all users, 
getent group breaks with log entry (log.winbindd):

[2011/04/12 15:32:39.493322, 5] 
winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv)
getgrent failed: NT_STATUS_NO_SUCH_GROUP
[2011/04/12 15:32:39.493470, 6] 
winbindd/winbindd.c:816(winbind_client_request_read)
closing socket 22, client exited

what is wrong with my setup? i get the same error with winbind 3.5.6 and 
3.5.8 (didn´t try older versions yet).

what wonders me most is the fact that i setup an example scenario at 
home without nsswitch entries and despite that i am able
to chown and chgrp my files within the fs... how come?

any ideas are very welcome. thanks and regards,

sascha