samba - Oct 2018 - smb.conf username map entry does not work

Hi folks,

I have got the following setup:

OS: CentOS 7.5 1804 in a HP DL120 server

Samba AD member server with standard Samba 4.7.1 from the CentOS 7.5 
distribution.

I have got a problem that the "username map" entry in smb.conf does
not
seem to have any effect at all. In the mapping file there is a mapping 
from Administrator to root. But when I run id Administrator I do not get 
the mapping to root. The result of the id command looks like:

uid=10500(administrator) gid=10513(domain_users) 
groups=10513(domain_users), 10500(administrator), 10512(domain_admins), 
10572(denied_rodc_password_replication_group), 
10518(schema_admins),10519(enterprise_admins), 
10520(group_policy_creator_owners), 
3001(BUILTIN\users),3000(BUILTIN\administrators)

and getent passwd Administrator gives:

administrator:*:10500:10513::/dev/null:/sbin/nologin

This in turn give problems when setting up a share with the RSAT tools. 
It is not possible to use the administrator account, as it seems to 
behave like any user account, and not an Administrator account. Also, 
for example setting permissions on a file, and using Administrator, sets 
permission to the user Administrator, and not root.

I wiped all files under /var/lib/samba and /run/samba, and rejoined the 
server, but it did not change things at all. I also tried to set the 
uidNumber=0 in the ADUC tool, but that did not help either.

I would be very grateful for any ideas.

Best regards,

Peter


smb.conf
=====
[global]
    workgroup = SAMDOM
    realm = SAMDOM.LOCAL
    security = ads
    netbios name = KONSRV
    server string = Samdom server %h

    username map = /etc/samba/user.map

    template homedir = /dev/null
    template shell = /sbin/nologin
    winbind use default domain = true
    winbind offline logon = true
    winbind normalize names = Yes

    idmap config * : backend = tdb
    idmap config * : range = 3000-9999
    idmap config SAMDOM:backend = rid
    idmap config SAMDOM:range = 10000-99999

    local master = no
    domain master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes
    client signing = mandatory

    winbind enum users = yes
    winbind enum groups = yes
    winbind expand groups = 4

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    inherit acls = yes
    acl group control = yes

    hide unreadable = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/


user.map
=====
!root = administrator Administrator SAMDOM\Administrator 
SAMDOM\\Administrator SAMDOM\administrator SAMDOM\\administrator