samba - Aug 2013 - winbind sometimes only get partial groups

hi:
    I setup samba4  DC server with windows client and 6 linux
workstations.windows client works fine, but linux samba client is strange.
I have one user, which belongs to 21 AD groups. but "groups my-user"
only
return some of them. at one workstation, it may return all the 21 groups,
but others retrun 18 or 19 groups. and at one specific workstation, only
return 1 group!!

   I backup "/var/lib/samba/*.tdb" and issue command: "service
winbind
stop; rm -f /var/lib/samba/*; service winbind start". then I get all 21
groups with "groups my-user". after that I restore the backup of
"/var/lib/samba/*.tdb". I only get a few groups as before.

  the most strange part is if I delete the tdb file at "var/lib/samba"
one
by one, the returned information of "groups my-user" won't change.
only
when I remove all the tdb files at once, then I get different result of
"groups my-user".

  I have good and broken "/var/lib/samba/*.tdb" files in hand if
someone
want to check.
  my server and client environment below. thanks a lot for help!!

    server enviroment: scientific linux 6.4 64bit with samba 4.0.5, 4.0.7
(I compiled and test these two versions).
    client environment: scientific linux 6.4 64bit with samba  3.6.9 (come
with the linux distribution).

samba4 server configuration:
[global]
        workgroup = MY-DOMAIN
        realm = AD.MY-DOMAIN.COM
        netbios name = DC
        server role = active directory domain controller
        dns forwarder = 10.11.1.3
        idmap_ldb:use rfc2307 = yes
        # resolve interface bug
        interfaces = 127.0.0.1 10.11.1.2
        bind interfaces only = Yes
        strict allocate = yes
        # disable printing
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        winbind use default domain = yes
        # winbind nss info = rfc2307
        # DC won't read rfc2307 shell and home
        # template homedir = /share/samba/home/%U
        template shell = /sbin/nologin
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/ad.my-domain.com/scripts
        read only = No
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


samba3 client workstation configuration. all 6 clients are the same:

[global]
   workgroup = MY-DOMAIN
   realm = AD.MY-DOMAIN.COM
   security = ads
   idmap config *:backend = tdb
   idmap config *:range = 3001-4000
   idmap config MY-DOMAIN:backend = ad
   idmap config MY-DOMAIN:default = yes
   idmap config MY-DOMAIN:range = 1000-3000
   idmap config MY-DOMAIN:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = no
   winbind use default domain = yes
   winbind offline logon = yes