Yes marc it is a good remark i made myself when i found that once you created a user with the sambaAD you cannot add anymore the shell access.
You have to destroy the user account (and all its data) then recreate it with the shell access enabled)
@davidep said that a new feature with gpo must be created for this
So for ns7 a this point we cannot do something except documenting it in the module that sudo needs (of course) a shell access.
For ns6 I can add an action to the db accounts and set the shell property to enabled if the sudo is enabled.