Problem

For unknown reasons some of your users appear to have a expired password even though your password policies does not enforce password expiry.

Solution for OpenLDAP

Disable the Posix and Kerberos expiry dates for all affected users.

Step 1

Check that password expiry policies configured in Univention Directory Manager (UDM) and Samba/AD are set to the same values. Please note that UDM policies and Samba/AD domain policies are not automatically synchronized because they have different design concepts: Different UDM policies may be assigned to different users (or containers) but in Samba/AD there is an additional global domain wide policy. If the values differ, the user experience may appear inconsistent.

Step 2

On the DC Master create a file named user.ldif which contains all user entries as shown below:

dn: uid=test30,cn=users,dc=multi,dc=ucs
changetype: modify
delete: krb5PasswordEnd

dn: uid=test30,cn=users,dc=multi,dc=ucs
changetype: modify
delete: shadowMax

Step 3

Install the above file:
ldapmodify -c -D uid=Administrator,cn=users,dc=multi,dc=ucs -W -f user.ldif

It is expected that this command may output error messages for non-existing attributes and that’s ok:

modifying entry "uid=test30,cn=users,dc=multi,dc=ucs"
ldap_modify: No such attribute (16)
        additional info: modify/delete: shadowMax: no such attribute