There are few things we can check 1) Do not add Active Directory group accounts in ONTAP that have a common (sub)set of users eg. when an Active Directory group is assigned the "admin" role and an user from that group is assigned a another role in ONTAP.
2) Remove the Active Directory groups from ONTAP, and add them back with the domain identifier in upper case eg. If the domain is "DOMAIN" and user is "user1", the admin account configured at ONTAP as "domain\user1"
3) we can check if we are able to the user information from DC: ::> set d -c off ::*> diag secd authentication show-creds -node <node_hosting_lif> -vserver <svm> -win-name <domain\username>
The problem could be with the PAM modeule or with the DC connections. With debug logging done in PAM and in secd along with packet traces we can find why authentication for a user from the group added to security login is failing.
I would suggest to open a support ticket for further investigation.