Use Samba 4. This way you have a complete active directory (kerberos)
I do not know if this is possible but I also do not think that this is necessary. Since you have all these features if you have a correct domain and not running all the logic on the client.
This happens automatically if the windows machine is a member of your samba 4 domain.
No. At the end of the day the credential provider performs a windows authentication. And this is usually a local user authentication or a kerberos authentication in the domain.
But we will think about, if there is any use case, that would make sense for us.