Found it. It turns out that the config file for libnss-ldap is /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the config that I had been in /etc/ldap/ldap.conf and taking it from /etc/libnss-ldap.conf. The former had this "nss_base_group ou=Groups,dc=example,dc=co,dc=uk?sub" and the latter this nss_base_group ou=group,dc=example,dc=co,dc=uk?one. Once I edited group to Groups, it started working.
Package: libnss-ldap Priority: extra Section: net Installed-Size: 304 Maintainer: Richard A Nelson (Rick) <...> Architecture: amd64 Version: 261-2.1 Depends: libc6 (>= 2.7-1), libcomerr2 (>= 1.01), libkrb53 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7), libsasl2-2, debconf | debconf-2.0 Recommends: nscd, libpam-ldap ... Hope that saves someone the (huge) amount of time it's taken me to figure out where this problem was. Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
