LDAP authentication: Windows Server2k3 vs. 2k8
The LDAP name mapping has changed between Win2K3 and 2K8. The new mapping (to apply in /etc/ldap.conf) is:
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
nss_map_attribute gecos cn
nss_map_objectclass posixGroup Group
nss_map_attribute shadowLastChange pwdLastSet
Please let me know if that helps. You may have to migrate the old users as well-- I'd use ldapsearch and compare new and old users (but I think they will just have both attributes, if I recall)
I've decided to post another answer here, since this is usually the place where people find the information they are looking for.
Whilst the above is all still very valid and true, I have now found a much, much easier way to connect my clients via AD. Debian squeeze (the latest stable release) contains sssd (a package that originates in the redhat/fedora environment), which makes all of this a complete breeze. Upon installation it finds and suggests domain controllers, and I only needed to change very few things in the config file to make it work for me. It works perfectly fine with Windows Server 2008, and it can also cache passwords (important for laptop users).