[Samba] Winbind vs pam_krb5/nss_ldap

[AD.]

Hi all,

I am just after some opinions about the pros and cons of winbind
compared to the 'standard' kerberos and ldap methods. I've have
already got single sign on working with pam_krb5 and nss_ldap (using
SASL/GSSAPI) against SBS 2003 (with MSSFU 3.0) using Debian Sarge as
clients/'member servers', and integration of Samba is the next bit I'm
looking at.

The impressions I get are (corrections welcome):

Winbind should be a bit simpler to set up than the pam/nss option, and
mean a bit less work entering UIDs and GIDs etc into Active Directory
and generating keytabs etc.

Using the standard kerberos/ldap methods should give more flexibility
for integrating with other unix based services eg consistent uid
mapping between machines (when using Active Directory at least) etc.

Winbind users need to log on using DOMAIN\USER, while pam_krb5 users
just need to use USER for their default realm. Or am I wrong about
that one?

Winbind users can change their AD password while pam_krb5 users can't
(at this stage).


Now for some questions...

Is it possible or is there any value in using both winbind and
pam_krb5/nss_ldap together? How would they integrate?

If it's even possible, what would I miss out on if not using winbind?
I presume there still needs to be some sort of SID mapping going on
for Samba to do its stuff?