AD group membership changes not reflected in winbind information
Solution 1:
It appears that this was caused by group information being cached at logon-time in /var/cache/samba/netsamlogon_cache.tdb. I guess that although '-n' instructed winbind not to cache it's queries against LDAP, the presence of the membership information in that TDB file was enough to mess things up.