Error when starting winbindd "Failed to issue the StartTLS instruction: Insufficient access" when using the ID mapper
On Samba 3.3 and above, the default is ldap ssl = starttls. The vasidmapd daemon is a standard LDAP proxy and doesn't support the use of LDAP over SSL.
Set the below option in the smb.conf
ldap ssl = off
testparm -v will show the Samba parameters (including defaults and in smb.conf) being used.