For reference, I just did the commands in lab as you obfuscated some of the output:
[appadmin@cppm-nl]# show domain
=======================================================
Domain Information
-------------------------------------------------------
Domain Name : NL.ARUBALAB.COM
Domain NETBIOS Name : NL
Domain Server Ip Address : 192.168.32.11
Domain Server Name : dc01.nl.arubalab.com
Domain Status : online
-------------------------------------------------------
=======================================================
[appadmin@cppm-nl]# ad auth -u arubase -n nl.arubalab.com
Password:
NT_STATUS_OK: Success (0x0)
[appadmin@cppm-nl]# ad auth -u arubase -n nl
Password:
NT_STATUS_OK: Success (0x0)
[appadmin@cppm-nl]#
From the error message (could not obtain windbind separator), could it be that you have special (non a-z,A-Z,0-9) characters in your full domain name, one of the DC fqdn, the username you tried or password? One thing I recently heard of was a customer who had an underscore _ in the DNS name, which is not supported in DNS. To isolate the issue, can you make sure none of these non-standard or accented characters exist in any of the domain/host/user-names or password? As you can see above you can either use the long Domain Name or the short Netbios name.
This command should just do the authentication and is separate from Authentication sources that use LDAP to fetch user group attributes.
BTW, domain join is only needed for MSCHAPv2 authentication (aka PEAP) which really shouldn't be used anymore as MSCHAPv2 is cracked.