samba - Feb 2013 - Groups not updating on 3.5.10 (centos) or 3.6.12 (enterprise samba)

Hello everybody,
we're trying to set-up Samba to share directories with Win users from 
some Linux servers.
We've set up kerberos, gotten a ticket, joined the server to the domain, 
we get correct users/groups from "wbinfo" and "getent".
The problem lies in "id": it does not update its user<->group
mappings
when they change on AD, even if "wbinfo" and "getent" get
the changes.
If we erase the /var/lib/samba/*.tdb cache the mappings get updated, but 
I guess this should not be the case, they should update automagically.
A thing we've noticed is that "net rpc info" on all our DCs always
returns "1" as the "sequence number".
We've tried this configuration with centos original rpms and with 
EnterpriseSamba rpms for centos.


krb5.conf:

        [logging]
          default = FILE:/var/log/krb5libs.log
          kdc = FILE:/var/log/krb5kdc.log
          admin_server = FILE:/var/log/kadmind.log

        [libdefaults]
          default_realm = AAA.LOC
          dns_lookup_realm = false
          dns_lookup_kdc = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
        # default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        # default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

          AAA.LOC = {
           kdc = addc01pl.aaa.loc
           kdc = addc02pl.aaa.loc
           admin_server = addc01pl.aaa.loc
           default_domain = AAA.LOC
          }

        [AAA.LOC]
          .aaa.loc = AAA.LOC
          aaa.loc = AAA.LOC

lmhosts:

    127.0.0.1    localhost
    192.168.0.250    AAA

smb.conf:

        [global]
        workgroup = AAA
        realm = AAA.LOC
        netbios name = BBB
        dns proxy = no
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog = 0
        security = ads
        domain master = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        #map untrusted to domain = yes
        winbind use default domain = yes
        client ntlmv2 auth = yes
        interfaces = eth2 lo
        bind interfaces only = yes
        #log level = 3
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 60
        password server = 192.168.0.250, 192.168.0.251
        max protocol = SMB2
        load printers = no
        printing = bsd
        printcap name = /dev/null
        show add printer wizard = no
        disable spoolss = yes
        idmap cache time = 1
        idmap negative cache time = 1

Thanks for all the help we can get! (we've been reading and trying lots 
of things on forums/mailinglists, but to no avail).

-- 
Alessandro Giorgio Togna


Area Sistemi
Universit? degli Studi G.Marconi
diretto     +39 06 37725445
centralino  +39 06 377251
http://www.unimarconi.it
http://www.marconichannel.tv
http://www.marconistudios.it
_______________________________________________________________________________
AVVERTENZE AI SENSI DEL DLGS 196/2003

Le Informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i, sono da considerarsi strettamente riservate.
Il loro utilizzo ? consentito esclusivamente al destinatario del messaggio, per
le finalit? indicate nel messaggio stesso.
Qualora riceveste questo messaggio senza esserne il destinatario, Vi preghiamo
di darcene notizia via e-mail e di procedere alla distruzione
del messaggio stesso, cancellandolo dal Vostro sistema. Costituisce
comportamento contrario ai principi dettati dalla Legge il trattenere il
messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo od utilizzarlo per finalit? diverse.