[Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory

[Walter Huf]

I am using Ubuntu Gutsy, which comes with Winbind 3.0.26a. I am using the
same configuration that worked on Ubuntu Feisty, which uses Winbind 3.0.24.
Something changed with Winbind, apparently, to break the configuration that
was working perfectly. How can I fix my configuration to work with the new
version?

The symptoms are as follows:
wbinfo -t works
wbinfo can retrieve a list of users
wbinfo can look up a user's SID by it's username
wbinfo can look up a user's username by it's SID
ntlm_auth can authenticate a user. I can not use wbinfo to verify this
because my password has a ! in it. Windows Event Viewer does not show an
event for this.
Logging in fails, generating a Windows Event with error code 0xC000006A.
su username does not work, failing with "Unknown id: username"

The relevant section of smb.conf:
   workgroup = WORKGROUP
   realm = WORKGROUP.TLD
   security = ADS
   winbind enum groups = yes
   winbind enum users = yes
   winbind cache time = 600
   winbind nested groups = yes
   winbind nss info = sfu
   winbind separator = +
   winbind use default domain = yes

   idmap gid = 500-45000
   idmap uid = 500-45000
   idmap backend = ad

nsswitch.conf has the following:
passwd:         files winbind
group:          files winbind

Pam configuration:
auth    requisite       pam_nologin.so debug
auth    [success=1 default=ignore]    pam_localuser.so debug
auth    [success=done auth_err=bad]   pam_winbind.so debug
auth    required        pam_unix.so nullok_secure debug

account sufficient      pam_winbind.so debug
account required        pam_unix_acct.so debug

Relevent part of auth.log:
Feb 22 11:25:49 client sshd[4620]: Invalid user username from X.X.X.X
Feb 22 11:25:49 client sshd[4620]: Failed none for invalid user username
from X.X.X.X port 2086 ssh2
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: 0x8006e940]
ENTER: pam_sm_authenticate (flags: 0x0001)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): getting password
(0x00000001)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): Verify user
'username'
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): request failed:
Wrong Password, PAM error was Authentication failure (7), NT error was
NT_STATUS_WRONG_PASSWORD
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): user 'username'
denied access (incorrect password or invalid membership)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: 0x8006e940]
LEAVE: pam_sm_authenticate returning 7
Feb 22 11:25:49 client sshd[4620]: pam_unix(ssh:auth): check pass; user
unknown
Feb 22 11:25:50 client sshd[4620]: pam_unix(ssh:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X
Feb 22 11:25:51 client sshd[4620]: Failed password for invalid user username
from X.X.X.X port 2086 ssh2

klist output:
Default principal: principal at WORKGROUP.TLD

Valid starting     Expires            Service principal
02/22/08 10:51:58  02/22/08 20:51:43  krbtgt/WORKGROUP.TLD at WORKGROUP.TLD
        renew until 02/23/08 10:51:58
02/22/08 11:20:58  02/22/08 20:51:43  dc$@WORKGROUP.TLD
        renew until 02/23/08 10:51:58


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


Does anyone have any ways to fix this serious problem?