[Samba] Missing group membership of user on domain member

[Andreas Hauffe]

Hello,

we have a fileserver (nfs4/krb5) running as domain member (Debian 10, 
Samba 4.13.2, winbind). This server is member of the domain ILRW, which 
itself is a subdomain of DOM. All users are defined in DOM and the 
groups are domain local groups defined in ILRW. For some users winbind 
does not list the domain local groups of ILRW (wbinfo --user-groups 
$USERNAME), so the users are not able to access resources via NFS4. I 
already tried to remove the /usr/local/samba folder completely, 
recompile (install) samba and rejoin it to the ILRW domain. So I hope 
there shouldn't be any cache issues. Can somebody give a hint, how solve 
this problem?

smb.conf

[global]
         bind interfaces only = Yes
         dedicated keytab file = /etc/krb5.keytab
         interfaces = lo enp1s0f0
         kerberos method = secrets and keytab
         realm = ILRW.ING.DOM.TU-DRESDEN.DE
         security = ADS
         server min protocol = SMB3_00
         template homedir = /home/users/linux/%U
         template shell = /bin/bash
         winbind refresh tickets = Yes
         winbind separator = +
         workgroup = ILRW
         idmap config * : range = 2000-2999
         idmap config ilrw : backend = rid
         idmap config ilrw : range = 3000-9999 # UID aus RID für POOL
         idmap config dom : backend = rid
         idmap config dom : range = 10000-9999999 # UID aus RID für DOM
         idmap config * : backend = tdb

Regards,
Andreas