When winbindd contacts a trusted AD domain, it uses Kerberos principal DOMAIN$@AD.DOMAIN in a in-memory ccache. That in-memory ccache is made default for the winbindd process with setenv("KRB5CCNAME", name). In order to authenticate and obtain ticket for the principal, winbindd needs to fetch trusted domain account password. As ipasam passdb module also uses kerberos and SASL to talk to LDAP, it will populate the default ccache with its own principal (cifs/host@DOMAIN) so that when libads later is used by winbindd to talk to AD, it uses it instead of the original trust principal.

In the result, AD accepts this bind because cifs/host@DOMAIN belongs to trusted domain but later fails actual LDAP query because it lacks enough privileges. It can be seen in the logs as following and network trace http://cloudshark.org/captures/5cc0732887fe shows what happens (packets 46-56) on wire:
{{{[2012/09/04 19:02:38.075943, 10, pid=23695, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob)
Adding cache entry with key = SAF/DOMAIN/AD.LOCAL and timeout = Tue Sep 4 19:17:38 2012
(900 seconds ahead)
[2012/09/04 19:02:38.077020, 4, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:2900(ads_current_time)
KDC time offset is -4 seconds
[2012/09/04 19:02:38.078311, 4, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:1220(ads_sasl_bind)
Found SASL mechanism GSS-SPNEGO
[2012/09/04 19:02:38.079503, 3, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:878(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2012/09/04 19:02:38.079575, 3, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:878(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2012/09/04 19:02:38.079613, 3, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:878(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2012/09/04 19:02:38.079688, 3, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:878(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2012/09/04 19:02:38.079726, 3, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:878(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2012/09/04 19:02:38.079769, 3, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:887(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
[2012/09/04 19:02:38.079993, 3, pid=23695, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:265(ads_cleanup_expired_creds)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Wed, 05 Sep 2012 05:02:34 EEST
[2012/09/04 19:02:38.080051, 10, pid=23695, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:532(ads_krb5_mk_req)
ads_krb5_mk_req: Ticket (ldap/winda.ad.local@AD.LOCAL) in ccache (MEMORY:winbind_ccache) is valid until: (Wed, 05 Sep 2012 05:02:34 EEST - 1346810554)
[2012/09/04 19:02:38.080160, 10, pid=23695, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:769(get_krb5_smb_session_key)
Got KRB5 session key of length 16
[2012/09/04 19:02:38.082459, 3, pid=23695, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:1043(ads_do_paged_search_args)
ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) -> Operations error}}}

The idea with KRB5CCNAME override was to avoid API limitation in cyrus-sasl and LDAP simple bind that does not allow directly passing credentials via GSSAPI but rather relies on them being in default ccache. We found out that libads is actually not using cyrus-sasl and therefore there is no need to make winbindd's ccache default. One needs to pass ccache context properly to libads code (ads_sasl_bind) and import credentials via gss_krb5_import_cred() -- which is possible because otherwise GSSAPI-only code in libads/sasl.c relies on spnego_gen_krb5_negTOkenInit() which calls cli_crb5_get_ticket(). Thus, krb5 is used already.