I experienced mostly the same issues as yours.. We, at one time, used the Vintella(vas) authentication package, but this method I put together replaced that.
What ended up working for us was a combo of Kerberos(for user authentication)/LDAP(for uid/gid synchronization)for having users access AD. We've been using this configuration, with some minor variations, for a few years now and it's done the job.
The reason we needed AD authentication is for the users to be able to use IBM/Rational Clearcase, and for them to have their /home directories stored on an NFS server. With this requirement, everything needed to be synced up from a UID/GID/USER standpoint across the different servers.
Checkout the original how-to I wrote on the subject here: