samba - May 2008 - Incorrect/incomplete group information when authenticating against AD

Summary: a Samba server authenticating against AD can only
retrieve some, not all, groups that users belong to.

I have a Linux server "oldsys" (all version info given
below) making files available via Samba and authenticating
against Windows AD. This works without problems.

We want to migrate the data, and thus the Samba
configuration, to a new server "newsys". This has been done,
with the smb.conf file being copied from oldsys to newsys. I
have joined newsys to the AD tree. "wbinfo -t", "wbinfo -u"
and "wbinfo -g" give the expected results.

The group information for a given user is incomplete on
newsys. Here's the output from each system for one user:

oldsys # id Tiger 
uid=10353(tiger) gid=10001(Domain Users)
groups=10001(Domain Users),10008(Domain
Admins),10004(Services),10012(Compbio),10016(Admin),10020(Techserv),
10023(Inkjet),10024(Sysadmin),10063(IFRpan),10048(qcall)

newsys # id Tiger
uid=10004(tiger) gid=10000(domain users) groups=10000(domain users)

Not only is the newsys group list much shorter, but also the
"Domain Users" group is a different gid and the user has a
different uid. There is no user "Tiger" in the passwd
database on either Linux server, so the response is
apparently coming from the AD tree.

One other anomaly: a "getent passwd" on the old system lists
all the /etc/passwd entries as well as the AD users; the
same command on the new system lists only the /etc/passwd
users. An "egrep '(^passwd|^group|^shadow)'
/etc/nsswitch.conf" produces the same results on each
system:

passwd:     files winbind
shadow:     files
group:      files winbind

I'm at a loss to understand why the group information (and
the "getent passwd" list) are different on the two systems,
and I'd welcome any pointers.

Versions:
oldsys # smbd -V
Version 3.0.21a
oldsys # cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)

newsys # smbd -V
Version 3.0.24
newsys # cat /etc/debian_version
4.0

Thanks for any ideas,
Keith