[Samba] Winbind idmap partially fails to load attributes with 4.6.7 (Ubuntu 17.10)

Greetings, All!

I'm stumbled upon an event I can't understand. Rolled out a new Ubuntu 17.10
box in preparation for eventual 18.04 launch and… it just does not fly.

Here's a brief and apparent summary of the problem:

$ smbd -V; getent passwd anrdaemon

Version 4.3.11-Ubuntu (14.04, 16.04)
anrdaemon:*:10000:10001:Andrey Repin,,,,umask=0027:/home/anrdaemon:/bin/bash

Version 4.6.7-Ubuntu (17.10)

The data retrieved by 4.3.11 client is correct as written in AD.
On 4.6.7, only UID:GID is correct. The rest comes from local template.

Both hosts are setup from the same script, with same set of related packages,
with identical set of related configuration files (in fact, they were sourced
from fame templates for this test)

Related installed modules: libnss-winbind, libpam-krb5.

nsswitch.conf and krb5.conf are exactly the same.

Here's a comprehensive run through the smb.conf on two hosts (thanks to GitHub):

On all hosts I'm able to retrieve at least partial information, which means
NSS somehow works, and I'm able to authenticate, making PAM working too.
Of course, I get booted from 17.10 box due to wrong shell.

Any ideas?

