Without bothering to think about silly things like “standards” or “expected behavior” Red Hat’s Fedora team modified how linux systems using sssd interact with Active Directory, and then Red Hat pushed out the modification during a routine quarterly patch run to their flagship Enterprise Linux product.
Because of this insanity and this insanity (uber geeky links, do not click if RFC2307 is never casually mentioned in your household).
This breaks stuff, profoundly. POSIX systems require separate namespaces for groups and users and Active Directory cannot provide that separate namespace when directory consumers like sssd are drawing their information from a single namespace that does not allow duplication.
So all over the world, linux systems are breaking as scripts that rely on group names have suddenly had the rug yanked out from under them. These utter assclowns have blown off a critically important, globally significant standard on a whim without bothering to think for ten seconds about what it will do in real infrastructures.
##HACK TO FIX THIS, TELL YOUR FRIENDS
Add this line to your [domain] stanza in /etc/sssd/sssd.conf :
ldap_group_name = cn
