If only cached_login is in use without krb5_auth, then authentication always fail. The problem seems to be around in winbind_auth_request() nsswitch/pam_winbind.c Only if krb5_auth is specified then request.data.auth.uid is filled with something meaningful. Later in the code if cached_login is selected there is a check for this not being -1 and if it is authentication simply fails completely.
Just rephrasing as Jeremy politely argued I was not clear enough (see IRC logs if you are curious :-) Problem: Authentication fails when *only* cached_login is specified as a pam_winbind module option Cause: When cached_login is selected a check is made to determine if request.data.auth.uid is the default value of -1. In case it is -1 an error is returned and authentication fails request.data.auth.uid is set to a non default value only when the krb5_auth option is selecetd. See nsswitch/pam_winbind.c:winbind_auth_request()
Should be fixed with -r21318.