samba - Feb 2014 - samba4 ad domain member server -- don't desire sid <-> uid mapping

I've got a very simple need -- want to make a samba4 server a member of an
active directory domain and use it as a file-server only.  All shares on the
file server are explicitly designed with a 'uniform access model' -- eg
the user's in privileged groups can do anything to all files in the share
(and despite their best attempts) they can't accidentally edit permissions
on files such that others within the same security lose the ability to view/edit
files in the share.  This is by far the simplest way we've found to setup
fileservers for heterogenous environments -- where you tend to have things like
finder on osx doing permission modification operations after directory creation
-- and a whole space of other insanity's that make it impossible for even
sophisticated users to understand the behavior as file operations get translated
through multiple incompatible permission models in really complicated ways.

We used to host an NT style domain for this purpose under samba3 -- we used
settings like this to enforce the access modem for each share:

	comment = HR share
	path = /space/SambaShares/HR
	read only = no
	valid users = +HR
	write list = +HR
	create mask = 0664
	security mask = 0664
	force create mode = 0664
	force security mode = 0664
	directory mask = 02775
	directory security mask = 02775
	force directory mode = 02775
	force directory security mode = 02775
	force user = HR-user
	force group = HR
	browseable = Yes

With the above model, each user in group 'HR' could connect to the share
from any odd client, do anything to the files there, and all permission
modifications from the client were ignored.  With the above every file in the
share is guaranteed to be editable by all other users regardless of how they
connect to the share and regardless of what crazy things they or their
applications might try to do to the file permissions.

That's worked well for us -- but now we need to deprecate the NT4 domain and
move all the 'authentication' responsibilities into our enterprise ad. 
We explicitly do NOT want to modify pam or /etc/nsswitch.conf as we want to keep
the linux environment on the samba host separate and immune from the ad stack --
if ad is down or off, its acceptable that samba might stop working, but it would
NOT be ok for such a downtimefailure to cause problems on the server itself
(from the getent api's hanging unexpectedly for example, or any of the other
bad things that can result when the behavior of the password database apis has a
sudden behavior change)

There is a page on the samba wiki which suggests that I what I desire to do is
possible -- https://wiki.samba.org/index.php/Adding_users_with_samba_tool -- it
says specifically 'samba 4 does not require a local Unix user for each Samba
user that is created'.  That's the holy grail for me, exactly what I
want ...

Can anyone point me in the right direction to set things up that way?  I want to

1. setup a samba4 server that is joined to an active directory domain
2. use the active directory domain to authenticate access to a fileshare
3. NOT require a unix user account for each samba user ...

I'm more than a little confused about how to achieve this from the
documentations thats 'out there' on the web ...  It seems like I'm
well into the 'simple case' so it ought not to be that hard ...?

So far I've succeeding in joining a samba4 instance to an active directory
domain as a member server ( had to use `net ads join as samba-tool's join
function didn't work ...)

- I found out the security mask and directory security mask options were removed
from samba4 ... why?  How can we enforce that permission changes from clients
will not be honored without this?
- after joining the domain and starting winbindd, wbinfo will correctly show the
active directory users and group

samba config looks like this:

[global]
	workgroup = AD
	realm = AD.MYDOMAIN.COM
	security = ADS
	server role = member server
	netbios name = TEST-SERVER
	log level = 5

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/somts-test.ucsd.edu/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

[testshare]
	comment = test share
	path = /space/testshare
	read only = no
	valid users = +AD\samba-testshare-group
	write list = +AD\samba-testshare-group
	create mask = 0664
	force create mode = 0664
	directory mask = 02775
	force directory mode = 02775
	force group = samba-testshare-group
	browseable = yes

I have been able to mount a share as any users which are members of the
AD\samba-testshare-group yet ...  Can anybody out there interpret what I'm
trying to do and give me pointers ..?

Huge thanks,
Ben