Here's the output of the commands you suggested.
adinfo -T (unidentified):
Domain Diagnostics:
Domain: [correct.domain.name]
DNS query for: _ldap._tcp.[correct.domain.name]
DNS query for: _gc._tcp.[correct.domain.name]
Testing Active Directory connectivity:
Global Catalog: lares.[correct.domain.name] gc: 3268/tcp - good
Global Catalog: zeus.[correct.domain.name]
gc: 3268/tcp - good
Global Catalog: aphrodite.[correct.domain.name]
gc: 3268/tcp - good
Global Catalog: flora.[correct.domain.name]
gc: 3268/tcp - timeout
No TCP LDAP response, giving up on flora.[correct.domain.name] Global Catalog: fauna.[correct.domain.name] gc: 3268/tcp - timeout
No TCP LDAP response, giving up on fauna.[correct.domain.name]
Global Catalog: ares.[correct.domain.name]
gc: 3268/tcp - good
Global Catalog: artemis.[correct.domain.name] gc: 3268/tcp - good
Global Catalog: helios.[correct.domain.name]
gc: 3268/tcp - good
Global Catalog: ceres.[correct.domain.name] gc: 3268/tcp - good
Domain Controller: helios.[correct.domain.name]
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: artemis.[correct.domain.name]
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: flora.[correct.domain.name]
ldap: 389/tcp - timeout
No TCP LDAP response, giving up on flora.[correct.domain.name]
Domain Controller: lares.[correct.domain.name]
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: ceres.[correct.domain.name]
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: fauna.[correct.domain.name]
ldap: 389/tcp - timeout
No TCP LDAP response, giving up on fauna.[correct.domain.name]
Domain Controller: ares.[correct.domain.name] ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: zeus.[correct.domain.name]
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: aphrodite.[correct.domain.name]
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - goodAdquery user works fine as well. In fact, running just that command tries to list every user in AD, which is a lot. Here's an example of one (with PHI removed):
[username]:x:819327050:817889793:[Last Name], [First Name] [Initial]:/export/homes/[username]:/bin/bash
NSSwitch.conf (sections you asked for):
passwd: centrifydc files shadow: centrifydc files group: centrifydc files
Adquery user -A -u [username] gave a ton of output that is correct, including name, uid, gid, shell, home, dn, sid, userPrincipalName, guid, account info, group memberships, etc. I don't want to copy all of that in here due to the personally identifiable information, but it's working fantastically.
Interestingly enough, however, that command does not prommpt for a password like you mentioned. It just gives output.
So you're onto something here in that NSS and/or PAM is likely where the mixup is happening. Do you know where we can go next?