Understood.
Note that you're trying to configure Samba server for Kerberos. Before the Badlock vulnerability, we used to ship a Centrified version of Samba that would make these configurations quite simple. Today we only focus on the Identity Mapper. It looks like you may have configured our piece correctly, but have some tweaking to do on the samba side.
Robertson