[Samba] Samba 4 AD member server authentication issues, domain vs. ads security

[Eric Shell]

I have an environment with two separate AD instances which each have both a
samba 3 and samba 4 file server joined to them.  Last week, we began to
experience authentication failures in both domains on the samba 4 file
servers.  After a lot of experimenting, we found that changing the security
setting from domain to ads resolved the problem for the samba 4 servers.

However, the samba 3 servers are still configured with security = domain
and are continuing to authenticate users without issue.  Also, due to the
fact that ads requires a kerberos ticket, there are some clients that can
no longer authenticate because they are not able to acquire tickets from
the AD kerberos realms.

I have a few questions that I've so far been unable to answer:

1.  What happened to break authentication for the samba 4 servers last
week, was it some kind of Microsoft patch perhaps?  Why weren't the samba 3
servers affected by whatever changed?

2.  Is there an "ideal" configuration for a samba file server as a member
of an AD domain?  From what I've read, ads is the preferred security
method.  If we should continue using ads, how do we best handle clients
that will not have kerberos tickets?