roles/winbind: Use ad idmap backend

The `ad` identity mapper backend is apparently the only one that can
use shell, home directory, etc. attributes from the directory now (as of
Samba 4.6).

roles/winbind/defaults/main.yml

@@ -1,4 +1,4 @@
-winbind_idmap_range: 16777216-33554431
+winbind_idmap_range: 3000000-3009999
 winbind_nss_info: rfc2307
 winbind_use_default_domain: true
 winbind_offline_login: true

roles/winbind/templates/winbind.conf.j2

@@ -1,11 +1,13 @@
 template homedir = /home/%U
 template shell = /bin/bash
 
-{% if winbind_idmap_backend is defined %}
-idmap backend = {{ winbind_idmap_backend }}
-idmap config * : backend = {{ winbind_idmap_backend }}
+idmap config * : backend = tdb
+idmap config * : range = 1000000-1000999
+idmap config {{ workgroup }} : backend = ad
+idmap config {{ workgroup }} : range = {{ winbind_idmap_range }}
+{% if winbind_nss_info == 'rfc2307' %}
+idmap config {{ workgroup }} : unix_nss_info = yes
 {% endif %}
-idmap config * : range = {{ winbind_idmap_range }}
 
 kerberos method = {{ winbind_kerberos_method }}