[Samba] AD for Kerberos authentication, *separate* OpenLDAP for User/Group Lookup

[Ryan]

Hi there,

I'm trying again with a more generic form of the question.

1. There is an existing AD that I *do not control*. I want to authenticate
with this using tickets from Windows domain login. I can join to it, but
that's it. I cannot write anything in it, and the user information already
there is useless. We need the existing AD/Kerberos only so users can use
their broader institutional credentials (either username/password or login
tickets, depending on client situation).

2. There is a totally separate OpenLDAP server that has UNIX UID, GID, and
groups information. This information is necessary for group-based access to
shares. All files are labeled with UIDs and GIDs from this existing
database.

3. Can Samba authenticate a domain user against the AD server and lookup
*ALL* user and group information based on %U, the username, from the
OpenLDAP server?

This was *definitely* possible in Samba < 4.8.0, and it worked completely
transparently (no separate mapping database or per-user operations
necessary). I have been unable to accomplish the same with Samba >= 4.8.0
after tremendous effort. Could somebody please either give some idea what a
configuration to accomplish this might look like or let me know this is no
longer possible so that I can try to consider other options?

I appreciate the responses I've gotten to more specific and verbose
versions of the question, but I have not understood how they can be helpful.

Kind regards,

Ryan