Smartcard login reading incorrect CN

Environment:
RHEL 6.3 (x64) client, on a small, self-contained network.
Windows 2012 Server with Active Directory, DNS, acting as the Root CA via a self-signed certificate.
Windows 7 client.

I have added the RHEL 6.3 client to the Windows Domain, via winbind.
I can log onto that domain as an Active Directory account, using a password, on the RHEL 6.3 machine.
The Windows 7 client is set up for smart card login, and I am able to successfully use a Smart Card to log in to the Windows 7 client as a Domain User.

This tells me that I have most of this set up properly, but I still don't have it fully working correctly.

Reader is a Cherry GmbH Smart Terminal XX44.
Card is a Gemalto IDPrime PIV Card2.0.

I have tried using the pam_pkcs11 module, to log in, but when I log in, I am greeted by "Welcome Users!". Then I'm prompted for the PIN. I enter the PIN, and I get "Authentication Failure."

I can read the card, and when I use pklogin_finder, the certificate is valid.

When I configure pam_pkcs11 (in pam_pkcs11.conf), (using the coolkey module), I have tried using both "cn" and "ms" mapping. When I use "cn" mapping, the CN that is read from the card is "CN=Users". (hence, the "Welcome Users!". The full UPN is cn="joe user", CN="Users!", DN="mydomain", DN="local".

So; pam_pkcs11 with "cn" mapping, seems to be reading the wrong CN. It's reading the SECOND one, when the documentation says it should read the FIRST one. I can't really map "Users -> juser", because when I start adding other users, they will ALL have to map to "Users" - the "Users" OU, in Active Directory, contains ALL of the user accounts. When I use pkcs11_inspect debug, it does report user accounts as Users and juser. (there are two items in the data returned).

I have also tried the "ms" mapping. When I am set to "ms" mapping, I am still greeted as "Welcome Users!". When I use pklogin_finder debug; the failure says that the UPN 'juser@mydomain.local' is not found, the Domain '' does not match 'mydomain.local'.

Most of the examples I am seeing in procedures on how to set this up, talk about using "cn" mapping and a "cn_map" file. But how can I tell the mapper to read the local.mydomain.Users context, instead of the local.mydomain context?

Should I be trying to use "cn" or "ms" mapping in this set up? (I would think that "ms" mapping would be the preferred method).

Where is pam_pkcs11+ms_mapper reading the domain name when trying to match to the user on the certificate? Is it possible I have a configuration file somewhere with a "domain = ''" set?

Also (probably unrelated) - I have imported my server's cert to NSS using certutil.

I also put the cert in /etc/pam_pkcs11/certs, as per the documentation.
But I have not run pkcs11_make_hash_link on my cert, because when I try to run that command I get "command not found" - it seems this is part of the pcsc-tools package, which does not seem to be part of the normal redhat repositories. I did install pcsc-lite.