Comment 1 for bug 1952219

Samba Team announced that domain member setups must use winbindd in 4.8.0:
https://www.samba.org/samba/history/samba-4.8.0.html in 2018.

In order to accept AD Kerberos authentication you need to configure the server as
domain member with 'security = ads' and without 'server role = standalone server'.

In your case you most likely want to configure idmap_nss (see man idmap_nss)
and run winbindd, but without nss_winbind.

Note the above implies the patches from
https://bugzilla.samba.org/show_bug.cgi?id=14901
are included.

Unrelated here but the patch from
https://bugzilla.samba.org/show_bug.cgi?id=14899
should also be applied.