samba - Jun 2008 - How to map an AD group to an existing unix group/gid

I have a unix group that owns some files on a share, and I'd like to set
up a group mapping so that an Active directory group (with an exising
mapping in winbind from earlier use) gets access to these files via a
mapping.

I've been fooling around with net groupmap add, and haven't been able to
get this set up.

The group Domain Users has an existing mapping to gid 10004, which
winbind allocated at some point in the past

I have a group testgroup, with gid=134

I've tried the following:

net groupmap add sid=S-...-513 unixgroup=testgroup
ntgroup="DOMAIN+Domain Users"
which gives the following for a net groupmap list:
DOMAIN+Domain Users (S-...-513) -> testgroup

and

net groupmap add sid=S-...-513 unixgroup=134
which gives this when I do a net groupmap list:
134 (S-...-513) -> DOMAIN+domain users

For both of these, when I view the properties of a file owned by
testgroup, the group owner shows up as Domain Users, with both read and
write permissions.  

For both of these, wbinfo shows the following:

wbinfo --group-info="DOMAIN+domain users"
DOMAIN+domain users:x:134

So far, so good, right?

However, for both of these, when I try to access a file owned by
testgroup, I'm denied access.  If I create a file in a directory when
logged in as a domain user, it gets created with gid 10004, that's fine.

nscd is disabled, nsswitch.conf contains group:  files winbind, OS is
Solaris 10 update 4, samba is 3.0.25a, as shipped with S10u4.

Any ideas on this?

Thanks,

~Eric