For unknown reasons some of your users appear to have a expired password even though your password policies does not enforce password expiry.
Solution for OpenLDAP
Disable the Posix and Kerberos expiry dates for all affected users.
Check that password expiry policies configured in Univention Directory Manager (UDM) and Samba/AD are set to the same values. Please note that UDM policies and Samba/AD domain policies are not automatically synchronized because they have different design concepts: Different UDM policies may be assigned to different users (or containers) but in Samba/AD there is an additional global domain wide policy. If the values differ, the user experience may appear inconsistent.
On the DC Master create a file named user.ldif which contains all user entries as shown below:
dn: uid=test30,cn=users,dc=multi,dc=ucs changetype: modify delete: krb5PasswordEnd dn: uid=test30,cn=users,dc=multi,dc=ucs changetype: modify delete: shadowMax
Install the above file:
ldapmodify -c -D uid=Administrator,cn=users,dc=multi,dc=ucs -W -f user.ldif
It is expected that this command may output error messages for non-existing attributes and that’s ok:
modifying entry "uid=test30,cn=users,dc=multi,dc=ucs" ldap_modify: No such attribute (16) additional info: modify/delete: shadowMax: no such attribute