I have implemented PAM 2016 in our test & development environment. My PRIV forest is a 2016 domain Level, and my "CORP" forest is a 2012 domain level. The "CORP" forest has Win 2016 based domain controllers (but as stated, is at a 2012 domain level).
According to KB3155495 I should be able to add the "PRIV" base security group in the CORP domain to the Domain Admins group. This is not happening. The forest trust still disables nesting external security groups in "special groups" (i.e.: Domain admins, etc...).
The "trustAttributes" on the TRUST indicates 0x448, which should be TAPT, TATE, PIM-TRUST. Reading the description on these attributes in 6.1.6.7.9 trustAttributes, seems to say that Sid Filtering is used, but even if I enable SID filtering on the Trust, it's a no go. In fact with SID filtering enabled the shadow group obtains even less group membership.
Is there any other setting that needs to be made to accomplish having PAM place shadow groups in the CORP domain admin group?
PS: This is the PAM 2016 SP1, Version 4.4.1237.0