OK, I think it might be working and this was false alarm (as usual). I think I might have been tripped up by the newish auth.signature "represent" which was showing empty fields for created_by/modified_by since I am not collecting first/last name.
It still seems odd, though, that is_active is defaulting to False. I tossed out custom auth_user and am now using extra_fields. We'll see how that goes.