[nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works

[philoertel <phillipao [at] gmail.com>]

I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to
authenticate people against our AD server. But I've broken everything. I can
ssh and su as root. ssh as my regular user (who's both in ldap and
/etc/passwd) just hangs. ssh or su as any user in ldap but not in
/etc/passwd errors: "unknown id: test". getent passwd shows only users in
/etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user> fails
with id: <ldap-user>: No such user. libnss-ldap is installed, and strace
shows su is checking nss, or at least it's opening the config files.

According to wireshark, there's a lot of successful-looking ldap activity
for each of these things. for both su poertel and id peortel there's a
search for people with sAMAccountName=poertel, and there's one response. For
getent password, there's a search for all people with objectclass=user, and
all the results i would expect are returned. even my su <ldap-user> and id
<ldap-user> generate ldap queries for that user, and the AD server sends the
right result. Strangely though, for my ssh poertel, there's some extra ldap
querying: search CN=Configuration (sAMAccountName=poertel), search
DC=ForestDnsZones (same condition), DC=DomainDnsZones (same condition). None
of those three queries come back with any results. My ssh <ldap-user>
doesn't generate those extra queries.

here are my configuration files for ldap and nss:
http://www.nabble.com/file/p24518891/ldap.conf ldap.conf 
http://www.nabble.com/file/p24518891/libnss-ldap.conf libnss-ldap.conf 

nsswitch has passwd, shadow, and group set to "files ldap"

This has been so confusing and difficult. Thanks for any advice.