https://lists.samba.org/archive/samba-technical/2016-June/114707.html says it all. gensec is unusable in tldap. We need to remove tldap again and go back to the 4.2 version of idmap_ad
After discussion on samba-technical this is seen as the wrong approach