Impressive. I'm sorry you had to go through this.
However, it looks like you're close.
I would disable (or remove) samba and just focus on CDC
Is the client connected (adinfo should display)
What's the de-identified output of adinfo -T?
What happens when you do an adquery user or adquery group command?
It would be good to also know the output of the passwd and group stanza on /etc/nsswitch.conf
Some tips on testing raw authentication:
adquery user -A -u test.user
helps you test using just the agent, bypassing PAM, NSS or any app like Login or SSH. It will prompt you for the password of the user and if you type it correctly, that's an end-to-end test of the client connectivity.
Keep this handy: https://community.centrify.com/t5/TechBlog/TIPS-A-Centrify-Server-Suite-Cheat-Sheet/ba-p/22568
Most folks find what they need there.
R.P