samba - Aug 2009 - Winbind core dump issue

Greetings

We've moved from using NIS/SFU to using Samba/Winbind connecting to our
Windows 2003 AD domain with an Openldap idmap backend on our Redhat 4/5
servers. We managed to get this mostly working in that users can
authenticate using their domain accounts (thank you Samba team!!!). We do
however keep getting the same error in the log.winbindd-idmap log:

winbindd: ../../../libraries/libldap/getentry.c:48: ldap_next_entry:
Assertion `entry != ((void *)0)' failed.
[2009/08/11 12:00:12,  0] lib/fault.c:fault_report(40)
  ==============================================================[2009/08/11
12:00:12,  0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 6 in pid 25614 (3.2.13)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/08/11 12:00:12,  0] lib/fault.c:fault_report(43)

  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/08/11 12:00:12,  0] lib/fault.c:fault_report(44)
  ==============================================================[2009/08/11
12:00:12,  0] lib/util.c:smb_panic(1670)
  PANIC (pid 25614): internal error
[2009/08/11 12:00:12,  0] lib/util.c:log_stack_trace(1774)
  BACKTRACE: 28 stack frames:
   #0 winbindd(log_stack_trace+0x2d) [0x891b0c]
   #1 winbindd(smb_panic+0x8e) [0x89195e]
   #2 winbindd [0x87b660]
   #3 winbindd [0x87b671]
   #4 /lib/tls/libc.so.6 [0x377918]
   #5 /lib/tls/libc.so.6(abort+0xe9) [0x379289]
   #6 /lib/tls/libc.so.6(__assert_fail+0x101) [0x370da1]
   #7 /usr/lib/libldap-2.2.so.7(ldap_next_entry+0x6b) [0x227c3b]
   #8 /usr/lib/samba/idmap/ldap.so [0x2a36e3]
   #9 winbindd [0xb2cec0]
   #10 winbindd(idmap_unixids_to_sids+0x41a) [0xb2dbd3]
   #11 winbindd(idmap_uid_to_sid+0xb9) [0xb30059]
   #12 winbindd(winbindd_dual_uid2sid+0xb0) [0x8031c6]
   #13 winbindd [0x7f842f]
   #14 winbindd [0x7faacf]
   #15 winbindd [0x7f7ff7]
   #16 winbindd(async_request+0x20f) [0x7f79c1]
   #17 winbindd(do_async+0x13c) [0x7fad81]
   #18 winbindd(winbindd_uid2sid_async+0x77) [0x80310c]
   #19 winbindd(winbindd_getpwuid+0xb1) [0x7c9a91]
   #20 winbindd [0x7c60d9]
   #21 winbindd [0x7c6c89]
   #22 winbindd [0x7c6ad4]
   #23 winbindd [0x7c6407]
   #24 winbindd [0x7c7383]
   #25 winbindd(main+0xc7e) [0x7c82e2]
   #26 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x364df3]
   #27 winbindd [0x7c56b1]
[2009/08/11 12:00:12,  0] lib/fault.c:dump_core(201)
  dumping core in /var/log/samba/cores/winbindd

Winbind seems to continue running but users get ID errors like 'cannot find
name for user ID #' and the machine is basically unusable for a minute or so
before it goes away. With the error referring to ldap, I'm not sure if this
is a problem with our ldap database or if it's a problem with winbind.
Initially we just used the latest versions of samba (Version
3.0.9-1.3E.13.2) from the RedHat repos but we found we were having problems
with trusted domains that we didn't have access to nor wanted to
authenticate with. We tried the 'allow trusted domains = no' and
'winbind:
ignore domains = trustdom1 trustdom2' options in smb.conf but I think these
options were not supported in this version. We then installed the 3.2.12
rpms from ftp.sernet.de which fixed that issue and got us to this stage.

Here is some information about our setup:

smbd & winbindd: Version 3.2.13

smb.conf:
[global]
        workgroup = domain
        realm = krb realm
        server string = %h Samba Server Version %v
        security = ADS
        password server = server1 server2
        local master = no
        domain master = no
        winbind cache time = 7200
        max log size = 50
        ldap admin dn = cn=manager,dc=example,dc=test,dc=com
        ldap idmap suffix = ou=idmap
        ldap suffix = dc=example,dc=test,dc=com
        idmap backend = ldap:ldap://10.0.1.16
        idmap uid = 500-10000
        idmap gid = 100-1000
        template homedir = /home/domain/%U
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        winbind enum users = yes
        winbind enum groups = yes
        allow trusted domains = no
#        winbind nested groups = yes
        winbind: ignore domains = trustdom1 trustdom2
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        cups options = raw

nsswitch.conf:
passwd:     files winbind
shadow:     files
group:      files winbind

/etc/pam.d/system-auth:
auth       sufficient   pam_env.so
auth       sufficient   pam_unix.so
auth       sufficient   pam_winbind.so try_first_pass

account    sufficient   pam_unix.so
account    sufficient   pam_winbind.so

session    sufficient   pam_unix.so
session    sufficient   pam_winbind.so

password   sufficient   pam_unix.so
password   sufficient   pam_winbind.so try_first_pass

I really have no idea where to even start with this error so would really
appreciate any help you can give.

regards

Paul