samba - Apr 2014 - Problems with Group Ids and several samba servers

Hello List,

we're having a problem mapping groups to a second server acting as a 
Fileserver.
We use tdbsam with local users and groups on the pdc. We now want to 
add  more servers to
the setup, authenticating all users/groups via the domain. Adding the 
appropriate users and groups and
do the mapping of uid and gid on the fileservers will be automatically 
done via ssh with a usradd.sh script.
This should be a workaround until we have a proper domain user 
authentication in place.
Script works fine and the users/groups on all machines are the same.
Authentication works. The testuser can login on the fileserver with the 
domain credentials.

We fail in writing to the folder that *should* be accessible for the 
group uw4 where testuser is
global and locally a member.

We tested writing locally:

drwxrws--- 2 root    uw4         2 Apr 16 12:13 project
sudo -u testuser touch project/moo --> works

and we can write via samba in the root of the share folder, so I assume 
user id works, but groups are ignored.

What am I missing? Thank you for your time.
JA

Setup:

PDC: Samba Version 3.3.4
-------------------------
smb.conf (skipped some irrelevant parts)
[global]
         workgroup = OURCOMPANY
         netbios name = PDCSRV
         server string = %h PDC
         passdb backend = tdbsam
         socket options = IPTOS_LOWDELAY TCP_NODELAY
         add user script = /etc/samba/usradd.sh  %u
         delete user script = /etc/samba/usrdel.sh %u
         add group script = /usr/sbin/groupadd %g
         delete group script = /usr/sbin/groupdel %g
         add user to group script = /usr/bin/gpasswd -a %u %g
         delete user from group script = /usr/bin/gpasswd -d %u %g
         add machine script = /etc/samba/pcadd.sh  %u
         logon script = scripts\%U.bat
         logon path = \\%L\profiles\%U
         logon drive = U:
         logon home = \\%L\profiles\%U
         domain logons = Yes
         os level = 35
         preferred master = Yes
         domain master = Yes
         enhanced browsing = No

[Netlogon]
         comment = Network Logon Service
         path = /var/lib/samba/netlogon
         admin users = root, ntadmin
         read only = No
         browseable = No
         create mask = 0775
         directory mask = 0775

[Profiles]
         comment = Roaming Profile Share
         path = /var/lib/samba/profiles
         read only = No
         profile acls = Yes
         browseable = No

[Share]
         comment = Our Old Share
         path = /mnt/share
         read only = No
         create mask = 0660
         directory mask = 2770


Fileserver: Samba Version 3.6.3
-------------------------
testparm
      Load smb config files from /etc/samba/smb.conf
Processing section "[sambatest]"
      Loaded services file OK.
      Server role: ROLE_DOMAIN_MEMBER

[global]
    workgroup = OURCOMPANY
    netbios name = FILESERVER
    server string = %h
    log file = /var/log/samba/log.%m
    log level = 1
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    guest ok= no
    domain logons = no
    socket options = IPTOS_LOWDELAY TCP_NODELAY
    security = domain
    wins server = 192.168.1.254
    template shell = /bin/bash
    time server = yes
    domain master = no
    winbind trusted domains only = yes
    encrypt passwords = yes
    passdb backend = tdbsam
    local master = no
    preferred master = no
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
[sambatest]
         read only       = no
         path            = /silo/cachetest/
         comment         = Sambatest
         veto files      = 
/._*/.DS_Store/.Trash*/.TemporaryItems/desktop.ini/Thumbs.db/.apdisk/
         create mask     = 0660
         directory mask  = 2770




-- 
Johannes Amorosa | Celluloid VFX