I found the libnss-ldap package breaks setuid programs (su, sudo) and NoMachine PAM module happens to include su rules. Switch to the newer libnss-ldapd (and accordingly libpam-ldapd etc.) package should solve the problem. For my case I adopted sssd for credentials caching, which has its own ldap backend, and NoMachine works again.
I enabled the debug log level to 7. When nxserver started, its child processes died somehow so made nxserver quit and so as nxd and nxnode. I attached nxserver.log when issuing “invoke-rc.d nxserver start”. Please take a look, thanks.