tequeter commented on a pull request
""" One of my customers has an in-house GNU/Linux desktop application they use on many remote tiny sites with unreliable WAN links. So far the application was doing local authn/authz using a database, but the customer is migrating their remote employees to the central AD for easier access to new centralized applications.
I will deploy SSSD on the remote desktops to ensure application availability in case of WAN failures, and the customer will update their application to authn with a SSSD-enabled PAM service and authz with InfoPipe. However, the application still needs to map the AD groups of the users to its internal permission system.
I considered using the gid provided by SSSD for that purpose (but it is not guaranteed to be consistent on all computers, from sssd-ldap(5)/ID MAPPING), or the group name (but that felt even more brittle). So, we decided to use the more robust GUID at the cost of creating this patch. """
See the full comment at https://github.com/SSSD/sssd/pull/21#issuecomment-245950785