Winbind paired with krb5-user is able to change the role of any computer in the domain (when using misconfigured setup files). Even the role of the domain controller.
When writing the config files, krb5.conf and smb.conf if the domain controller (or any other server) is entered in as the computer, then when you attempt to join the computer to the domain the active directory entry for the controller (or server) is overwritten.
I recently ran into this issue and took down an entire domain doing this, of course the misconfigured files is my fault, but I felt this was not something that should be able to happen in the first place. If a user attempts to connect as the domain controller there should be an error and the user should not be able to continue with the process, at least this is my opinion of how things should work. But i just feel like you shouldn't be able to overwrite the domain controllers attributes in it's own domain.
*** Bug 5621 has been marked as a duplicate of this bug. ***
Please reopen if this is still the case with the current Samba 4.0 or 4.1 code
Have you consider to use the Apache mod_auth_kerb from