I agree that debating further on the "Microsoft or not" is usless, then let's stop this here.
This said, either your wording or your technical understanding is maybe not wrong but biased: SSO is not here because of Samba but because of Kerberos. One could perfectly have Kerberos and therefore SSO without any CIFS ro AD like service
Regarding ppolicy overlay: like for account management, this is a matter of ownership.
One could have ppolicy available for LDAP and decide, just as an example:
- when samba is not deployed, ppolicy can be configured locally (meaning in LDAP)
- when samba is deployed, it takes the ownership and local ppolicy update is not possible because Samba owns everything.
BTW, this open the door for a lot of other questions (I know this quite well because I had to design and implement LDAP - AD - mail account and password synchro long time ago in another life)