[Samba] enumerating group members with nss_winbind (4.0.9 as AD DC)

[Trent W. Buck]

When I do "getent group", I want to see the group's members enumerated.
With nss_ldap they are; with nss_winbind they aren't:

    root at gumbo:~# getent group mgmt
    PI\mgmt:*:1040:

There *are* members there (partially redacted):

    root at gumbo:~# ldbsearch -Htdb:///var/lib/samba/private/sam.ldb cn=mgmt member
    # record 1
    dn: CN=mgmt,CN=Users,REDACTED
    member: CN=alice,CN=Users,REDACTED
    member: CN=bob,CN=Users,REDACTED
    member: CN=clara,CN=Users,REDACTED
    [...]

Those members are users, not groups, by the way.

I had a look at the manpages, and so far these guesses aren't helping.
I also tried increasing the "winbind expand groups = 4".

    winbind enum groups     = yes
    winbind enum users      = yes
    winbind expand groups   = 1

    # Automatically added during provisioning;
    # I don't know what it does.
    idmap_ldb:use rfc2307 = yes

The main reason I want this, is so I can confirm that what libc sees on
the new samba4 host matches what libc sees on the old samba3 host.
Apart from anything else, new users & groups have been created since I
did a "domain classicupgrade", and I intend to just use samba-tool to
manually add them to the new host.

Plan B is to use "samba-tool group listmembers" &c to check what's on
the new host, but I've had some troubles with nss_winbind not showing
some users and groups that samba-tool can see, so I'm leery of that.