There are multiple options here depending on how you want to set things up. The simplest solution is probably just to configure PAM to authenticate via kerberos to the CIT AD. If that sounds like a workable solution to you then all you need to do is configure krb5.conf, pam.d/system-auth and pam.d/sshd (if you want remote authentication). This is all detailed in Tim's documentation but here is the cliff notes version (note that this is Centos 7 centric and might need some tweaks for other linux flavors):
Note that the first line is what ACOM uses as we restrict remote authentication to OTP only.
This method requires you to create local users manually but does eliminate the need for the "restriction" options (see MMM's notes) while also satisfying the need to centrally log all authentication attempts on the Domain Controllers. For those systems that are mobile you still need to set a local password as this method of "pass through" authentication does not cache credentials in any way. If you need that functionality then you need to look at the "realm" command (also detailed in both ACOM's and MMM's notes).
If you go this route and want to make your linux filesystems available via SAMBA then you will need to take the extra step to join those machines to the domain (no password required when connecting):
net ads join createcomputer=/Divisions/XXX/Computers/ -UYourAdminAccount%password -S citdcfl02.cit.ucar.edu
MMM Notes on joining Centos 7 system to AD (restricting users)