Thank you for the answer.
I read through the documentation you provided, but could not find anything we did wrong.
I really don't understand how it's possible that the integration works for one user (which is not root or even with sudo rights), but not for the other users.
Well, it almost works, because if we force smbclient to use kerberos with the -k switch, it does not work any more, and out sysadmin wants to run kerberos only.
There are two access denied in the debug output of smbclient. The first seems a bit strange, it only happens if smbclient is run by a regular user, it does not happen for root. I was expecting samba to configure the access rights for tdb files in a manner which is usable for all the users needing access to them, but it does not look like they did. Anyway, runnig smbclient as root, where this message does not come up is not solving the problem, so access to /var/cache/samba/gencache.tdb is not the root cause of the problem.
The second "access denied" is probably a simptom of the real problem, but I have no clue what process requests access to what object.
I suspect an apparmor issue, which comes preinstalled on ubuntu server 18.04, as the problem went away when we first tried to disable apparmor, but after our sysadmin tried to make an apparmor profile to solve the problem, even disabling apparmor is not helping any more.