[Samba] using AD groups in "username map"

[Matthias Leopold]

Hi,

i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a 
Windows 2012R2 Domain Controller with AD. To administer share security i 
have to use the "username map" feature. This works when i enumerate 
individual AD users there. When i want to use AD groups it only works 
with "primary" groups. This way i can't use the "Domain Admins" group 
from AD there, since "primary" group (unix style) of all AD users is 
"Domain Users".

I'm using the "rid" idmap backend, where i can't change linux primary 
group membership of AD users (to my experience). I know i can change 
linux primary group membership with the "ad" idmap backend, but also 
only when using the Unix extensions in AD (changing Windows primary 
group has no effect and is deprecated anyway). I want to avoid this and 
don't want to believe this is necessary in the first place.

Some configuration details:

smb.conf:
security = ADS
passdb backend = tdbsam
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999
winbind enum users  = yes
winbind enum groups = yes
username map = /etc/samba/user.map

/etc/samba/user.map:
!root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"
-> this doesn't work!

/etc/nsswitch.conf:
passwd:     files winbind
group:      files winbind

# sudo -u 'MYDOMAIN\mleopo53' id
uid=13627(MYDOMAIN\mleopo53) gid=10513(MYDOMAIN\domain users) 
groups=10513(MYDOMAIN\domain 
users),3000(BUILTIN\administrators),3001(BUILTIN\users),10512(MYDOMAIN\domain 
admins),10572(MYDOMAIN\denied rodc password replication 
group),13627(MYDOMAIN\mleopo53) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

How can i solve this?

-- 
Matthias Leopold
IT Systems & Communications
Medizinische Universität Wien
Spitalgasse 23 / BT 88 /Ebene 00
A-1090 Wien
Tel: +43 1 40160-21241
Fax: +43 1 40160-921200