linux

Why don't wbinfo and getent see domain users?

Good time, colleagues!
I'm trying to get a Linux wheelbarrow into a Windows domain. Machine with Debian 8, Samba 4. Domain on Win Server 2008R2. Connected to the domain successfully, but wbinfo -u | -g and similar getnet passwd | groups do not see domain users and groups.
I did not find a similar situation in the docks and manuals on the open spaces of Google.
Configs:
smb.conf:

[global]
   workgroup = REGIONS
   realm = REGIONS.LAN
   dns proxy = no
   interfaces = eth0
   log file = /var/log/samba/log.%m
   max log size = 10000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad password
   usershare allow guests = no
   unix charset = utf8
   dos charset = cp1251
   security = ADS
   auth methods = winbind
   encrypt passwords = yes
   client use spnego = yes
   client ntlmv2 auth = yes
   restrict anonymous = 2
   socket options = TCP_NODELAY
# Отключаем любые попытки тачки стать контроллером домена
   domain master = no
   local master = no
   preferred master = no
   os level = 0
# Отключаем поддержку принтеров
   load printers = no
   show add printer wizard = no
   printcap name = /dev/null
   disable spoolss = yes
# Включаем интеграцию с Winbind
   domain logons = yes
   idmap uid = 10000 - 40000
   idmap gid = 10000 - 40000
   winbind refresh tickets = yes
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes
   winbind cache time = 40
   template shell = /bin/false
   winbind refresh tickets = yes
[share]
   comment = Shared folder
   path = /srv/samba/share
   read only = no
   browseable = yes
   guest ok = no
   create mask = 0777
   directory mask = 0777
   writable = yes
[users]
   comment = Users folder
   path = /srv/samba/users
   read only = no
   browseable = yes
   guest ok = no
   create mask = 0777
   directory mask = 0777
   writable = yes

krb5.conf:

[libdefaults]
        default_realm = REGIONS.LAN
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true
[realms]
        REGIONS.LAN = {
                kdc = dc01
                admin_server = dc01
                default_REGIONS = REGIONS.LAN
        }
[REGIONS_realm]
        .regions.tax.nalog.ru = REGIONS.LAN
        regions.tax.nalog.ru = REGIONS.LAN
[login]
        krb4_convert = false
        krb4_get_tickets = false

Result of the testparm command:

# testparm
Load smb config files from /etc/samba/smb.conf
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[share]"
Processing section "[users]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

And actually

# wbinfo -t
checking the trust secret for domain REGIONS via RPC calls succeeded

Thus, the machine has entered the domain, authorization through kerberos is successful, samba has established a trusted relationship with the domain.
Tell me where to dig?
NB: There is no access to the domain controller. On his side, I can not see the logs.