Ok, it looks like the firewall of the UCS 4.3 Samba/AD DCs is blocking TCP ports dynamically allocated by Samba 4.7. In our lab we found that similar issues with other services (RDP and share access) could be fixed by the following adjustment, so we would suggest to check if this also fixes the issues reported in this thread.
ucr set \
security/packetfilter/package/univention-samba4/tcp/49152:65535/all="ACCEPT" \
security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en="Dynamic RPC Ports (Samba)"
ucr unset \
security/packetfilter/package/univention-samba4/tcp/49152/all \
security/packetfilter/package/univention-samba4/tcp/49152/all/en
service univention-firewall restart
Please note that this needs to be adjusted on all UCS 4.3 Samba/AD DCs.