[Samba] 3.6.23-36.el6_8 and 4.2.10 = SIDs interoperability problem?

[lejeczek]

hi people

I have in userdb LDAP backend this one user (and many others):
(raw ldap):

# user243, People, xxzz.tech
dn: uid=user243,ou=People,dc=xxzz,dc=tech
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: user243
homeDirectory: /home/user243
loginShell: /bin/bash
sambaLogonTime: 0
sambaLogoffTime: 2147483647
gecos: Some User
sambaPwdCanChange: 2147483647
mail: user243 at xxzz.tech
sn: User
cn: Some User
givenName: Some
displayName: Some User
gidNumber: 513
uidNumber: 1177
sambaSID: S-1-5-21-2925918746-2661067204-1764633667-2002
sambaLMPassword: ED84DDFFD9A97C2ECA922D8A7EE0CA0B
sambaAcctFlags: [U]
sambaNTPassword: 079073B583031A7AAE5D5C2D049FC05A
userPassword:: 
e1NTSEF9TEl6QXB1TEpkNDZ6N1hxWFFiNFhTWUtxbXZKcmMwOTU=
shadowLastChange: 17038
shadowWarning: 4
shadowExpire: 17449
shadowMax: 99999
sambaKickoffTime: 1507597200
sambaPwdLastSet: 1476091342
sambaPwdMustChange: 2147483647
shadowMin: 99999


now, one server (4.2.10) fails, smbclient locally:

SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

pdbedit -v ...

Primary group S-1-5-21-2925918746-2661067204-1764633667-513 
for user user243 is a UNKNOWN and not a domain group
Forcing Primary Group to 'Domain Users' for user243

..but remaining info gets shown.

Another server (3.6.23-36.el6_8) which is PDC (it's not AD 
setup) has no problems whatsoever.

Before you ask for logs, when I do smbclient or pdbedit on 
failing (4.2.) server then nothing gets logged, even with 
level 10 of debugging.
Only journald logs:

  0, pid=37787, effective(0, 0), real(0, 0), class=auth] 
../source3/auth/check_samsec.c:494(check_sam_security)
   check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_INVALID_SID'

Every help most appreciated.
L.