Try smart umount as a simple solution (no credentials needed).

roles/lmn_vm/tasks/main.yml

@@ -14,19 +14,39 @@
     #    insertafter: '#auth_unix_rw = "polkit"'
     #  notify: reload libvirtd
 
-- name: Generate bind mounts for VMs in extra mount script
+- name: Configure pam_mount for VM bind mounts
   blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
     block: |
-      <lmnmount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT) %(FSTYPE) %(OPTIONS) %(VOLUME) "~"</lmnmount>'
-      <lmnumount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT)</lmnumount>'
+      <!-- bind mounts for the VMs, setting gid here does not work -->
+      <volume
+        path="~"
+        mountpoint="/lmn/media/%(USER)/home"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
+      <volume
+        path="/srv/samba/schools/default-school/share"
+        mountpoint="/lmn/media/%(USER)/share"
+        options="bind"
+        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
+      </volume>
+    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+
+- name: Use umount script for proper ordering
+  blockinfile:
+    dest: /etc/security/pam_mount.conf.xml
+    marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (umount script needed for bind mounts ordering) -->"
+    block: |
+      <!-- Provide special umount script here to handle bind mounts and proper ordering -->
+      <umount>/usr/local/sbin/pam-umount.sh %(USER) %(USERUID) %(MNTPT)</umount>
     insertafter: '^<mntoptions.*'
 
 - name: Prepare umount script
   ansible.builtin.copy:
-    src: u-mount.sh
-    dest: /usr/local/sbin/u-mount.sh
+    src: pam-umount.sh
+    dest: /usr/local/sbin/pam-umount.sh
     mode: "0755"
 
 - name: autostart default network for VMs