pam_groupdn fails once after reboot of openldap server, but works after that

Greetings all,
I have two CentOS 4.4 computers - one as an openldap server and another as a client.  I'm using openldap-2.2.13-6.4E and
cyrus-sasl-gssapi-2.1.19-5.EL4.  I have a MIT kerberos 5 installation that I have integrated to openldap via PAM and NSSLDAP
(via CYRUS SASL GSSAPI).  The client uses NSSLDAP principal via a keytab to gain access to kerberos at login time.

I am using pam_groupdn on the client to limit who can login to the client.  This normally works, but I've noticed that after
a reboot of the openldap server, I am able to log in one time using any principal in kerberos and openldap(sample posix entry below).  

After I log out, if I try to relog in with that same account, I recieve the error "You must be a member of cn=grp,ou=group,dc=..." which is what would nomally expect to see.

I also tried to log to the client with the same non-authorized account when the openldap server is powered off and the error
on the client is "authentication failed" - which also seems reasonable.  When the mysterious allowed login happens I am able to "ldapwhoami -Y GSSAPI -ZZ" from both the client and server without any type of errors (due to clock skew, GSSAPI / SASL errors, etc).

I can post more information, but below is pretty standard boiler plate detail.  I'm not sure if this is a pam or nss ldap issue, so I decided to post here.

I don't really know where to start looking - can anybody point me in the correct direction?

Many thanks,
Jonathan

CLIENT CONFIGS
-=-=-=-=-=-=-=
/etc/ldap.conf (/etc/openldap/ldap.conf)
HOST myldapserver.mydomain.com
BASE dc=mydomain,dc=com
TLS_CACERT /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
TLS_REQCERT demand
TLS_CIPHER_SUITE HIGH
SASL_MECH GSSAPI
SASL_REALM MYREALM.COM
SASL_SECPROPS noplain,noactive,noanonymous,minssf=56
use_sasl on
sasl_auth_id nssldap/myclient.mydomain.com
krb5_ccname FILE:/etc/.ldapcache
uri ldap://myldapserver.mydomain.com
ssl start_tls
pam_password md5
pam_login_attribute uid
pam_member_attribute memberUid
pam_sasl_mech GSSAPI
pam_groupdn cn=grp_logon1,ou=logon,ou=groups,dc=mydomain,dc=com

/etc/init.d/nscd
#added
export KRB5CCNAME=/etc/.ldapcache
/etc/crontab
#added
*/6 * * * /usr/kerberos/bin/kinit -k -t /etc/ldap.keytab -c /etc/.ldapcache nssldap/myclient.mydomain.com && chown nscd:nscd
/etc/.ldapcache && chmod 0644 /etc/.ldapcache

/etc/krb5.keytab (klist -k): host/myclient.mydomain.com@...
/etc/ldap.keytab (klist -k): nssldap/myclient.mydomain.com@...
/etc/.ldapcache (ldap cache from cronntab above)

OPENLDAP SERVER CONFIGS
-=-=-=-=-=-=-=-=
/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include  /etc/openldap/schema/core.schema
include  /etc/openldap/schema/cosine.schema
include  /etc/openldap/schema/inetorgperson.schema
include  /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections.  This is NOT the default.
#allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile  /var/run/slapd.pid
argsfile /var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
TLSCipherSuite HIGH
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/gamma_pubcert.pem
TLSCertificateKeyFile /etc/openldap/gamma_key.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
sasl-host myldapserver.mydomain.com
sasl-realm MYREALM.COM
sasl-secprops noplain,noactive,noanonymous,minssf=56
security sasl=56, tls=128, ssf=56, update_sasl=56, update_ssf=56, update_tls=128
disallow bind_simple
disallow bind_anon
disallow bind_krbv4
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
#  Allow self write access
#  Allow authenticated users read access
#  Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix  "dc=mydomain,dc=com"
rootdn          "uid=ldapadminaccount,cn=mydomain.com,cn=gssapi,cn=auth"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@...

/etc/krb5.keytab (klist -k): host/myldapserver.mydomain.com@...
/etc/openldap/ldap.keytab (klist-k): ldap/myldapserver.mydomain.com@MYREALM

sample posix account:
dn: uid=myuser,ou=,dc=mydomain,dc=com
uid: myuser
cn: myuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 501
gidNumber: 100
homeDirectory: /home/myuser

sample login group (pam_groupdn)
dn: cn=mygroup,ou=,dc=mydomain,dc=com
objectClass: posixGroup
objectClass: top
cn: grp_servers
gidNumber: 500
memberUid: uid=myuser,ou=,dc=mydomain,dc=com