At this point, you should be able to resolve users and groups from the Windows Active Directory domain using getent passwd and getent group. If these commands don't display your Windows accounts, try to resolve them using wbinfo -u and wbinfo -g. These commands query the Winbind service directly, bypassing the name service switch. If you can resolve users and groups with wbinfo, go back and make sure you configured /etc/nsswitch.conf properly.
If resolution still fails, check if nscd is running. According to the Samba-3 Howto, "if nscd is running on the UNIX/Linux system, then even though NSSWITCH is correctly configured, it will not be possible to resolve domain users and groups for file and directory controls." Stop this service and retry the steps mentioned above. If nscd is not running, and you are still having problems with resolution, make sure that ports 139/TCP and 445/TCP on the primary domain controller are not blocked by a firewall. Once your workstation is joined to the domain, Winbind uses these ports to perform its lookups.
Also, look out for the following situation. getent passwd lists all of the Active Directory accounts, but getent passwd user fails. Running id user also fails for Active Directory users. If you run into this problem, make sure that the hostname of the workstation you are configuring is unique within the Active Directory domain. If /var/log/samba/log.nmbd reports that nmbd was unable to register the hostname, choose a unique hostname for your workstation and rejoin the domain.