docker -G and non-local groups

So we (like many other labs) store our user identity information in LDAP. I created a docker group in LDAP so that its memberships is valid across our cluster. When I tried to run a docker command, however, I got this error:

Get http:///var/run/docker.sock/v1.20/containers/json: dial unix /var/run/docker.sock: permission denied.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?

Turns out that /var/run/docker.sock was owned by root:root, not root:docker as expected. Running docker in debug mode I saw this message:

DEBU[0000] Warning: could not change group /var/run/docker.sock to docker: Group docker not found 

After a big of poking around and verifying that the group did exist I came across the code in unix_socket.go. To make a longish (lines 41-83) story short, docker relies on libcontainer for its user/group lookups and these parse the /etc/group file, ignoring nsswitch.conf (and thus identity providers like LDAP).

If you use the numeric gid (docker daemon -G 555 for instance) then you get some strange messages in the log (example is from debug mode):

WARN[0000] Could not find GID 555                       
DEBU[0000] 555 group found. gid: 555

but the ownership of the docker Unix socket is set as expected.