Alexey,
Please forgive the delay in response. I'm heavily involved with a PS engagement/deployment for the next couple of weeks (this one included) and free time is sparse. This is important though so I will be working on it so again please forgive any delays in response.
We use the daemon for AD user/group resolution, access control, and authentication for cluster users at the edge (AD joined job submission nodes, data transfer nodes, etc.) and internally (compute nodes using LDAP). Users are permitted to authenticate to compute nodes if they have active jobs on. The SLURM "pam_slurm_adopt.so" module controls that access, where AD groups do so on the cluster edge systems. Those same AD groups will be used for SLURM based quality of service settings as well in an internal database. The enterprise provides the AD environment and we have no appetite to implement a shadow AD or LDAP service for the research compute side of things.
As mentioned, I've deployed hundreds of these configurations and this stateless configurations are the only one to behave this way. Very curious but as ephemeral systems are expectantly redeployed as a matter of operations, this nuance could certainly get annoying :-) .
-- lawrence