newgrp to AD/LDAP group - What am I missing?

[Dan Kressin]

I have a SuSE 10u2 server (foo) that has been joined to our AD domain.  All accounts and groups are AD-only, nothing local.  I can log in to foo as AD\user and running 'id' shows user's primary AD group/gid as well as all of the other AD groups he is part of.  Trying to 'newgrp' to any of the non-primary groups, however, results in a password prompt.  I have /etc/ldap.conf configured such that I can successfully 'ldapsearch' against AD and /etc/nsswitch.conf contains "group:  compat ldap lsass".  (lsass is Likewise Open, which we used to join the system to AD.  Their mailing list was not helpful.)

If I add AD\user to a local group in /etc/group I can successfully newgrp to it and back to my primary AD gid w/o a password prompt.

Any thoughts on where to look next?

Thanks,
Dan