Hi, we have a similar setup, separate KDC for hadoop and one-way trust with AD. All cluster nodes are added to AD and we have configured winbind so that we have access to AD users and groups. We had to increase the limits on UID as AD was generating numbers exceeding the default limits.
This way we can use the groups <AD USERNAME> command to get all AD groups that the user is member of. The nice thing is that we can also configure access permissions in HDFS based on these AD groups.