I recently posted to this list regarding a very slow response when getting the groups for a user.

The fix was to set

ldap_schema = rfc2307bis

Now 'groups' and 'id' return very quickly.  As an aside, is there an easy way to tell if rfc30172 or rfc3072bis are in operation on a given AD domain?

The problem is now that my account cannot log in... My account is valid, and I can do 'id johe' and 'getent passwd johe' where johe is my account name. I just can't log in with my password. 

I am almost 100% sure my password is valid, as I can LDAP bind to the AD controller and perform ldap searches.

Any help on debugging this issue is welcome.

BTW my sAMAccountName is JOHE  but I think this is not case sensitive, from what I can see in the sssd logs.