The user not known issue was caused by pam_ldap accepting capital letters in usernames while pam-ccreds doesn't. So Nick's suggestion does seem to solve the problem.
Also IMO common-auth pam-ccreds should be above pam_ldap. Otherwise a user not on the network will have to wait for the timeout each time logging in. I don't see any disadvantage here and switching them seems to work fine for me.
The user not known issue was caused by pam_ldap accepting capital letters in usernames while pam-ccreds doesn't. So Nick's suggestion does seem to solve the problem.
Also IMO common-auth pam-ccreds should be above pam_ldap. Otherwise a user not on the network will have to wait for the timeout each time logging in. I don't see any disadvantage here and switching them seems to work fine for me.