Unfortunately, MS doesn't want this to work. MS AD contains a modified kerberos with features not supported by the standard Kerberos. Standard kerberos clients can work with AD (as the protocol was slightly modified to "accomodate" the non-standard extensions), but not the inverse. I believe the AD version of LDAP is also slightly modified, but I don't know which way. In addition, AD requires very specific additions to their DNS configuration (every AD server is also a name server).
MOST of this has been rolled into Samba 4 (it provides the ACL translation), but I have read that the kerberos extensions are not yet available/supported.
The kerberos extensions were to turn an authentication protocol into an authentication+authorization protocol - so MS took an "unused" field and expanded it to carry authorization information; and thus made it incompatible with standard Kerberos (which didn't use the field). Since the field did have a length specification (also unused), none of the clients would work. The modification was mostly to the clients to ignore the field, and use the length value to know how much to ignore. Previously neither was used, and being a fixed size it was trivial to ignore (but broke as soon as the size was non-zero).
This should be detailed better in the Samba 4 documentation.
might help. But note - there still appears to be an AD central server.