samba - Jun 2018 - 4.5 -> 4.8 samba fails to start

Hi all,
   I'm trying to upgrade samba from 4.5 to 4.8 and it no longer starts. 
This is using the Debian Jessie (4.5.12+dfsg-2+deb9u2) and Debian 
testing (4.8.2+dfsg-1) packages.
   Below are a log file from the non-starting server, and testparm on 
the working 4.5, and again on the non-working 4.8.
   I do so an ERROR in the the testparm for 4.8:

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

   If someone could guide me through making samba happy about that, that 
would be great.
   I may have an usual setup.  In 4.5 Samba checks against an MIT 
kerberos server for authentication.

Thanks!
Chad.



The last few lines of log.smbd are : (I've got more!)
   create_builtin_administrators: Failed to create Administrators
[2018/06/18 06:11:21.308167,  4, pid=19610, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/06/18 06:11:21.308250,  3, pid=19610, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:708(finalize_local_nt_token)
   Failed to check for local Administrators membership 
(NT_STATUS_INVALID_PARAMETER_MIX)
[2018/06/18 06:11:21.308384,  4, pid=19610, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/06/18 06:11:21.308461,  4, pid=19610, effective(0, 0), real(0, 0)] 
../source3/smbd/uid.c:491(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/06/18 06:11:21.308533,  4, pid=19610, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/06/18 06:11:21.308604,  5, pid=19610, effective(0, 0), real(0, 0)] 
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2018/06/18 06:11:21.308675,  5, pid=19610, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:810(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2018/06/18 06:11:21.308838,  5, pid=19610, effective(0, 0), real(0, 0)] 
../source3/passdb/pdb_util.c:128(create_builtin_users)
   create_builtin_users: Failed to create Users
[2018/06/18 06:11:21.308953,  4, pid=19610, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/06/18 06:11:21.309036,  3, pid=19610, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:751(finalize_local_nt_token)
   Failed to check for local Guests membership 
(NT_STATUS_INVALID_PARAMETER_MIX)
[2018/06/18 06:11:21.309118,  0] 
../source3/auth/auth_util.c:1372(make_new_session_info_guest)
   create_local_token failed: NT_STATUS_NO_MEMORY
[2018/06/18 06:11:21.309208,  0, pid=19610, effective(0, 0), real(0, 0)] 
../source3/smbd/server.c:1993(main)
   ERROR: failed to setup guest info.

Googling get me the most interesting result of a Debian bug.  The 
reported "resolved" it for themselves by using Samba 4.7 ;) .
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269

testparm in 4.5
------------------------------------------------------------------------
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[LabSoftware]"
Processing section "[monitor]"
Processing section "[smb]"
Processing section "[guest]"
Loaded services file OK.
WARNING: some services use vfs_fruit, others don't. Mounting them in 
conjunction on OS X clients results in undefined behaviour.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
         realm = PHYSICS.WISC.EDU
         server string = %h server
         workgroup = PHYSICS
         max log size = 100000
         syslog = 0
         panic action = /usr/share/samba/panic-action %d
         kerberos method = secrets and keytab
         map to guest = Bad User
         security = ADS
         server signing = required
         hostname lookups = Yes
         dns proxy = No
         fruit:nfs_aces = no
         idmap config * : backend = tdb

[LabSoftware]
         path = /srv/smb/LabSoftware
         guest ok = Yes
         hosts allow = blah blay blax
         smb encrypt = No


[monitor]
         path = /srv/monitor
         browseable = No
         read only = No
         vfs objects = btrfs


[smb]
         path = /srv/smb
         ea support = Yes
         inherit acls = Yes
         inherit permissions = Yes
         read only = No
         smb encrypt = desired
         msdfs root = Yes
         vfs objects = btrfs catia fruit streams_xattr
         fruit:encoding = native


[guest]
         path = /srv/smb
         hide unreadable = Yes
         ea support = Yes
         guest ok = Yes
         inherit acls = Yes
         inherit permissions = Yes
         read only = No
         smb encrypt = desired
         msdfs root = Yes
         vfs objects = btrfs catia fruit streams_xattr
         fruit:encoding = native

-----------------------------------------------

testparm for same config file in 4.8
------------------------------------------------------------------------
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[monitor]"
Processing section "[smb]"
Processing section "[guest]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

WARNING: some services use vfs_fruit, others don't. Mounting them in 
conjunction on OS X c
lients results in undefined behaviour.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
         dns proxy = No
         hostname lookups = Yes
         kerberos method = secrets and keytab
         map to guest = Bad User
         max log size = 100000
         panic action = /usr/share/samba/panic-action %d
         realm = PHYSICS.WISC.EDU
         security = ADS
         server signing = required
         server string = %h server
         syslog = 0
         workgroup = PHYSICS
         fruit:nfs_aces = no
         idmap config * : backend = tdb


[monitor]
         browseable = No
         path = /srv/monitor
         read only = No
         vfs objects = btrfs

[smb]
         ea support = Yes
         inherit acls = Yes
         inherit permissions = Yes
         msdfs root = Yes
         path = /srv/smb
         read only = No
         smb encrypt = desired
         vfs objects = btrfs catia fruit streams_xattr
         fruit:encoding = native

[guest]
         ea support = Yes
         guest ok = Yes
         hide unreadable = Yes
         inherit acls = Yes
         inherit permissions = Yes
         msdfs root = Yes
         path = /srv/smb
         read only = No
         smb encrypt = desired
         vfs objects = btrfs catia fruit streams_xattr
         fruit:encoding = native