with winbind in nsswitch on a AD DC user and group enumerations are always enabled. The parameter winbind enum users/groups should be honored in this setup also.
*** Bug 10746 has been marked as a duplicate of this bug. ***
see patch in this thread: https://lists.samba.org/archive/samba-technical/2013-May/092298.html but as winbind 4 should vanish anyway, work should better be put in complete winbind 3 integration for ad dc setups maybe...
since samba 4.2 we have the previous winbind implementation again, which effectively fixes this bug.