Try smart umount as a simple solution (no credentials needed).

roles/lmn_mount/tasks/main.yml

@@ -12,11 +12,11 @@
 - name: Configure pam_mount for LMN homes
   blockinfile:
     dest: /etc/security/pam_mount.conf.xml
-    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN homes) -->"
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (mount LMN home) -->"
     block: |
-      <!-- mounts for home, share and nextcloud -->
+      <!-- mounts for home and nextcloud -->
       <volume
-        fstype="lmn"
+        fstype="cifs"
         server="{{ smb_server }}"
         path="{{ smb_share }}"
         mountpoint="/srv/samba/schools/default-school"

roles/lmn_printer/tasks/main.yml

@@ -30,7 +30,8 @@
         path="sysvol/"
         mountpoint="/srv/samba/%(USER)/sysvol"
         options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks"
-      ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not></volume>
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
     insertafter: "<!-- Volume definitions -->"
 
 - name: Create /etc/linuxmuster-linuxclient7 Directory

roles/lmn_vm/files/pam-umount.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/bash
+#
+# <umount>/usr/local/sbin/pam-umount.sh %(USER) %(USERUID) %(MNTPT)</umount>'
+
+set -eu
+
+LANG=C
+usr="$1"
+uid="$2"
+mtp="$3"
+
+lmuh="/lmn/media/$usr/home"
+lmus="/lmn/media/$usr/share"
+
+for VMname in $(sudo -u $usr XDG_RUNTIME_DIR="/run/user/$uid" \
+		     virsh list --state-running | grep running | awk '{print $2}'); do
+    sudo -u $usr XDG_RUNTIME_DIR="/run/user/$uid" virsh destroy $VMname || true
+    sleep 1
+done
+#killall -9 virtiofsd
+
+if [[ "$mtp" =~ "/srv/samba/schools" ]] ; then
+    N=0
+    mh=true
+    ms=true
+    mountpoint -q $lmuh || mh=false
+    mountpoint -q $lmus || ms=false
+    while [[ $N -lt 10 ]] && ([[ $mh = true ]] || [[ $ms = true ]]) ; do
+	if [[ $mh = true ]] ; then
+	    umount "$lmuh" && mh=false
+	fi
+	if [[ $ms = true ]] ; then
+	    umount "$lmus" && ms=false
+	fi
+	N=$((N + 1))
+	sleep 1
+    done
+    systemd-cat echo "Tried $N umount(s)."
+fi
+exec umount "$mtp"

roles/lmn_vm/files/u-mount.sh

@@ -1,51 +0,0 @@
-#!/usr/bin/bash
-#
-# <cifsmount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT) %(FSTYPE) %(OPTIONS) %(SERVER) %(VOLUME)</cifsmount>'
-# <umount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT)</umount>'
-
-set -eu
-
-systemd-cat echo $@
-
-LANG=C
-usr="$1"
-uid="$2"
-mtp="$3"
-
-if [[ "$#" -gt 3 ]] ; then
-    ## we are mounting
-    fty="$4"
-    opt="$5"
-    srv="$6"
-    vol="$7"
-    case "$fty" in
-	"davfs")
-	    systemd-cat echo mount -t davfs -o "$opt" "$vol" "$mtp"
-	    exec mount -t davfs -o "$opt" "$vol" "$mtp"
-	    ;;
-	"cifs")
-	    if [[ ! "$vol" =~ "sysvol" ]] ; then
-		home="$(getent passwd "$usr" | cut -d : -f 6)"
-		vol="default-school/"
-		mount -t cifs -o "$opt" "//$srv/$vol" "$mtp"
-		mkdir -p "/lmn/media/$usr/share"
-		mkdir -p "/lmn/media/$usr/home"
-		mount -o bind "/srv/samba/schools/default-school/share" "/lmn/media/$usr/share"
-		exec mount -o bind "$home" "/lmn/media/$usr/home"
-	    else
-		mount -t cifs -o "$opt" "//$srv/$vol" "$mtp"
-	    fi
-    esac
-else
-#    for VMname in $(sudo -u $user XDG_RUNTIME_DIR="/run/user/$uid" \
-#			 virsh list --state-running | grep running | awk '{print $2}'); do
-#	sudo -u $user XDG_RUNTIME_DIR="/run/user/$uid" virsh destroy $VMname
-#	sleep 1
-#    done
-    #killall -9 virtiofsd
-
-
-    umount "/lmn/media/$usr/share" && rmdir "/lmn/media/$usr/share"
-    umount "/lmn/media/$usr/home"  && rmdir "/lmn/media/$usr/home"
-    exec umount "$mtp"
-fi

roles/lmn_vm/tasks/main.yml

@@ -14,19 +14,39 @@
     #    insertafter: '#auth_unix_rw = "polkit"'
     #  notify: reload libvirtd
 
-- name: Generate bind mounts for VMs in extra mount script
+- name: Configure pam_mount for VM bind mounts
   blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
     block: |
-      <lmnmount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT) %(FSTYPE) %(OPTIONS) %(VOLUME) "~"</lmnmount>'
+      <!-- bind mounts for the VMs, setting gid here does not work -->
-      <lmnumount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT)</lmnumount>'
+      <volume
+        path="~"
+        mountpoint="/lmn/media/%(USER)/home"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school/share"
+        mountpoint="/lmn/media/%(USER)/share"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
+    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+
+- name: Use umount script for proper ordering
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
+    block: |
+      <!-- Provide special umount script here to handle bind mounts and proper ordering -->
+      <umount>/usr/local/sbin/pam-umount.sh %(USER) %(USERUID) %(MNTPT)</umount>
     insertafter: '^<mntoptions.*'
 
 - name: Prepare umount script
   ansible.builtin.copy:
-    src: u-mount.sh
+    src: pam-umount.sh
-    dest: /usr/local/sbin/u-mount.sh
+    dest: /usr/local/sbin/pam-umount.sh
     mode: "0755"
 
 - name: autostart default network for VMs