Pursuit of True Active Directory Integration

Your solutions here are either FreeIPA or Centrify/PowerBroker. FreeIPA is part of your standard RHEL subscription so there is already some savings in place.

FreeIPA can be run in a mode where all users and groups can come from Active Directory. You would only keep mapping of those users and groups to POSIX-specific environments in FreeIPA, like SUDO rules, public SSH keys, host-based access control definitions, SE Linux context assignments and so on. To do so you would need to map some of your AD users/groups to some groups in FreeIPA but that is not a duplication of the information, it is amending it with the parts that are not AD-specific.

The way FreeIPA implements compatibility with Active Directory is by presenting itself as an Active Directory-compatible forest, of sorts. It is enough to allow FreeIPA resources to be consumed by AD users via cross-forest trust but not enough to allow FreeIPA users to access Windows systems on the other side of the trust. You seem to be interested in the first part so this should be fine.

With FreeIPA 4.1 which is part of RHEL 7.1 beta already (hopefully, RHEL 7.1 will be out 'soon'), we have a powerful mechanism to keep the overrides for AD users and groups in FreeIPA and SSSD is capable to discover all of them on per-server granularity.

I would really like to hear what you mean by "real AD groups" when talking about SSSD. The newer versions of SSSD don't require the groups to have POSIX attributes and mostly read the group memberships from TokenGroups if the AD provider is used.

Also, in RHEL-7.1 (upstream 1.12+), the SSSD gained the capability to do access control checks using GPO policies.

Feel free to come and write to the sssd-users list if you have a specific question.