Been away from this issue for a while and am finally getting back in.
Never managed to make winbind work using the idmap backend AD options. Can run it using a local (random) tdb file mapping for UID's and GID's, or can use the RID mapping (non-random numbers that are consistent from machine to machine but still not the AD value for UID and GID), but if I turn on the AD mapping the client can no longer identify the user at all and logins fail.
Worse, winbind in the included samba version for CentOS_6 seems to eventually go pathological and lock up the machine. For now we're running using krb5 authentication against the AD, and need to create local accounts for all users on the machine. Winbind is no longer running.
I'm currently leaning toward using SSSD with LDAP for account info and KRB5 for authentication. Have found several simple-looking howtos (i.e. http://www.beduine.de/?p=657
) for this, all claiming to do exactly what I want and easy-peasy. However, none of them work.
Has anyone made this work? Can anyone point me toward a howto they know to be accurate and complete?
Hope to hear from you.