I have a Debian 10 machine which uses PAM LDAP for authentication. In LDAP I have two users alice and bob which are both members of group mygroup. Everything has worked fine (so the configuration shouldn't be too far off) until I recently discovered some weirdness with my groups (not sure what happened):

• ldapsearch reports user alice as a member of group mygroup (as it should).
• getent group shows user alice as a member of group mygroup (as it should).

  root@tux:~# getent group | grep mygroup
  mygroup:*:1210:alice,bob
  

• id does not report alice to be a member of group mygroup:

  root@tux:~# id alice
  uid=1200(alice) gid=1200(alice) groups=1200(alice)
  

• Surprisingly enough user bob is reported to be a member of mygroup:

  root@tux:~# id bob
  uid=1201(bob) gid=1201(bob) groups=1210(mygroup),1201(bob)
  

So far I thought that both getent and id are getting their information from the Name Service Switch library (NSS). I'm confused and hoping for some hints how to troubleshoot.