samba - Dec 2005 - Unresolved Questions for Active Directory Kerberos/LDAP/AD4Unix or SFU35 support?

I have been digging around for information on this in either online and
published books, but I haven't yet found the answer.  I am interested in
AD connective through AD Kerberos/LDAP/SFU or AD Kerberos/LDAP/AD4Unix.
I have a pure win2k3 environment, so there is no backwards support via
PDC emulator.  Published books document older NT-like environments.
*cries* If there are any documents, how-tos, etc, I would appreciate any
pointers...

Questions:

  - Is anything needed on the client configuration for Kerberos outside
of SAMBA?  Do I use Kerberos PAM modules on sourceforge for
authentication or does SAMBA umbrella provide its own PAM modules for
this?
  - Does SAMBA access lookups to LDAP through raw LDAP (StartTLS) or
LDAPS? Or is Kerberos somehow used to encrypt the traffic?
  - I saw notes on what seemed to be SFU3.0.  Is AD4Unix supported for
sid & gid/uid mapping? (it uses Posix schema, and the O'Reilly LDAP book
indicated that posix schema is supported by SFU3.5)
  - Can multi-domain environments be supported?
  - Are nested groups supported? I'm interested in using ACLs on Linux
and using nested group membership for restricting file access via
shares.

Thanks so much in advance.

I'm currently experimenting with PADL solutions and NFS, but wanted to
move off of that due to lack of caching of LDAP queries (performance
issues and reliability issues) and noted that winbindd for at least
older NT domains had some caching capabilities.

 Joaquin