Samba/winbind/pam AD user incorrect login because of NTLM beeing used?

Samba/winbind/pam AD user incorrect login because of NTLM beeing used?

My problem is, as hinted at by the headline, that if I try to logon to the
SLES machine with an AD account it always denies the login and says
"incorrect login". The AD Domain is at an 2012 function level and NTLM is
disabled via gpo. I have checked that ntp and DNS are setup correctly.
wbinfo -g
wbinfo -u
show the correct users and groups. and the same goes for
getent passwd <user>
getent group <group>
The /var/samba logs show nothing at all unless debug log level is turned
on but than everything seems to be correct. I also can initiate tickets
via
kinit
and
klist -kte
shows the correct SPNs (HOST/server.fqdn and HOST/server) in /etc/smb.conf
I defined for the kerberos method to be system keytab.
My suspission that at somepoint NTLM is required comes from trying
wbinfo --pam-logon <user>
this return the error code
0xC0000418 which according to Microsoft means that "authentication failed
because NTLM is blocked"
So finally ;) my question is:
"how do I configure pam/winbind to only use Kerberos and not NTLM?"
Many thanks in advance :)