Can't log in to Ubuntu as domain user "no passwd entry for user" (SSSD, KRB5, Samba)`

I followed this guide to join my Ubuntu 14.04 server to my domain. I have everything working - the server joined AD fine, I can kinit just fine, and dynamic DNS is working great. However, when I log in to Linux and try to su as a domain user, it fails...

Example:

su domainuser
No passwd entry for user 'domainuser'

su timdomain\\domainuser
No passwd entry for user 'timdomain\domainuser'

su timdomain.local\\domainuser
No passwd entry for user 'timdomain.local\domainuser'

su TIMDOMAIN.LOCAL\\domainuser
No passwd entry for user 'TIMDOMAIN.LOCAL\domainuser'

KRB5.conf

[libdefaults]
    default_realm = TIMDOMAIN.LOCAL


    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

    v4_instance_resolve = false
    v4_name_convert = {
            host = {
                    rcmd = host
                    ftp = ftp
            }
            plain = {
                    something = something-else
            }
    }
    fcc-mit-ticketflags = true

[realms]
    TIMDOMAIN.LOCAL = {
            kdc = dc01.timdomain.local
            admin_server = dc01.timdomain.local
            default_domain = timdomain.local
                    }

[domain_realm]
    .timdomain.local = DC01.TIMDOMAIN.LOCAL
    timdomain.local = DC01.TIMDOMAIN.LOCAL
[login]
    krb4_convert = true
    krb4_get_tickets = false

SSSD.conf

[sssd]
services = nss, pam
config_file_version = 2
domains = TIMDOMAIN.LOCAL

[domain\TIMDOMAIN.LOCAL]
id_provider = ad
overridehomedir = /home/%d/%u
access_provider = simple

smb.conf

[global]
   workgroup = TIMDOMAIN
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = TIMDOMAIN.LOCAL
   security = ads

   server string = %h server (Samba, Ubuntu)
   dns proxy = no

   log file = /var/log/samba/log.%m

   max log size = 1000

   syslog = 0

   panic action = /usr/share/samba/panic-action %d

   server role = standalone server
   passdb backend = tdbsam

   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes

   map to guest = bad user
   usershare allow guests = yes


[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

nsswitch.conf

passwd:         compat sss
group:          compat sss
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

~

I found the mentioned starting point for debugging problems, setting the debug_level to something between 6 and 8, very helpful. Monitoring the logs via tail -F /var/log/sssd/*.log gave then almost an answer.