winbind vs. sssd for Active Directory and partially configured RFC2307bis

[Steve French]

I forgot to cc: samba-technical on a question I just asked on the sssd forum.

One of the more common cases for sssd (or winbind) with RFC2307bis
seems to be getting uids/gids from Active Directory domains, but few
Active Directories have all of their users/groups configured for the
POSIX uid/gid. There are a couple cases - one how to configure Samba
to deal with users that are only partially configured in AD, and then
the more general case of how to configure nss for this.

How can you configure winbind (or sssd) behavior for this common case
(among the three behaviors that might be desired):

1) query AD for the Unix uid/gid and fail if that particular user is
not configured with a uid (this seems to be what sss always does and
isn't really practical given how unlikely that AD is configured
perfectly for unix uids)

2) query AD for the Unix uid/gid and if that user is not configured
with a uid map to a default uid (uid of something like "guest" or
"defaultuser" or whatever)

3) query AD for the Unix uid/gid and if that user is not configured
with a uid map algorithmically

I didn't see much useful on this topic when googling for it. If sssd
doesn't do that, is this another case where winbind can do it better?
Is there a way to configure nssswitch passwd line to fallback to a 3rd
trivial alternative (files winbind default e.g.) that provides a
default uid for a user at domain who does not have a uid/gid configured
in AD?

-- 
Thanks,

Steve