I've got some RHEL 5 servers in a mixed environment where I'd like to
use Kerberos or Winbind for user authentication against an Active
Directory server, but seem to have trouble getting it to behave
correctly.

I've got two distinct installations, whose 'authconfig --test' looks
like this. Winbind is active for authentication and user information.
Very small changes in configuration make things fail rather
unpredictably. What I'd like to do is set these up so that the local
server controls the client's home directory and shell, by putting them
in /etc/passwd, and using Kerberos or Winbind for user authentication.
That works, but there's trouble with the "idmap uid" and "idmap gid".
Namely, they automatically wind up set like this in smb.conf:

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

The result is that uid's and gid's from Winbind wind up greater than
65,535. Unfortunately, I've got other systems in the network that are
old UNIX boxes and have a much more limited range for UID's. And this
makes rsync, NFS, and other uid dependent operations quite awkward.
I'd like to reset these servers to use a lower idmap range, but
attempting to set it in smb.conf fails. Does anyone know enough to
help me address this? Or do I need to install Active Directory's
'Services for UNIX' on the Active Directory Server, and take direct
control of this?

# Output of 'authconfig --test', with site information removed.

caching is enabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is enabled
SMB workgroup = "DOMAIN"
SMB servers = "adserver.com:88"
SMB security = "ADS"
SMB realm = "DOMAIN.COM"
Winbind template shell = "/bin/bash"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is md5
pam_krb5 is disabled
krb5 realm = "DOMAIN.COM"
krb5 realm via dns is disabled
krb5 kdc = "adserver.com"
krb5 kdc via dns is disabled
krb5 admin server = "adserver.com:749"
pam_ldap is disabled

LDAP+TLS is disabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=example,dc=com"
pam_pkcs11 is disabled

use only smartcard for login is disabled
smartcard module = "None"
smartcard removal action = ""
pam_smb_auth is disabled
SMB workgroup = "DOMAIN"
SMB servers = "adserver.domain.com:88"
pam_winbind is enabled
SMB workgroup = "SWIFT"
SMB servers = "adserver.domain.com:88"
SMB security = "ADS"
SMB realm = "DOMAIN"
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled