[Samba] previous working smb.conf without winbind, now fails with samba 4.15.8 and winbind running

[Bob Green]

I need a CIFS server to provide access to Linux files to Windows clients. I
am able to accomplish this on SLES12 SP5, running kernel-4.12.14, with
samba 4.10.5 using the following smb.conf

[global]
        dedicated keytab file = /etc/samba/samba.keytab
        domain master = No
        kerberos method = dedicated keytab
        load printers = No
        local master = No
        ntlm auth = disabled
        os level = 0
        preferred master = No
        printcap name = dev/null
        realm = AD.DOMAIN.COM
        security = ADS
        show add printer wizard = No
        unix extensions = No
        workgroup = AD
        idmap config * : backend = tdb
        include = /etc/samba/smb.conf.shares
        inherit permissions = Yes
        invalid users = daemon root

Windbind is not being run in this setup.  Clients connect via kerberos
authentication, and the data users can access is enforced by extended group
file permissions, which the samba servers are configured to see via
nsswitch.conf. The group information (gidnumber) does not exist in AD.
samba.keytab contains cifs service principals for every samba server in a
DNS cluster so that connecting via smbclient --use-krb5-ccache=KCM:1000 can
be done against both the DNS round robin alias //samba.ad.domain.com as
well as against each individual samba server in the DNS RR cluster e.g
//samba_node_1 and //samba_node_2, etc.

The above breaks when I try to move to SLES15 SP4, kernel 5.14.21,
samba-4.15.8.

Apparently winbind is required to be running.  Once winbind is running,
samba reports failing to convert SID XXXXX to a UID.  It seems samba is
unable to offload uid/gid lookups to the kernel getpwent/getgrent functions.

What smb.conf parameters should I consider in order to get samba-4.15.8
working in a similar fashion as samba-4.10.5 on sles12sp5?

Thank you