Problem
For unknown reasons some of your users appear to have a expired password even though your password policies does not enforce password expiry.
Solution for OpenLDAP
Disable the Posix and Kerberos expiry dates for all affected users.
Step 1
Check that password expiry policies configured in Univention Directory Manager (UDM) and Samba/AD are set to the same values. Please note that UDM policies and Samba/AD domain policies are not automatically synchronized because they have different design concepts: Different UDM policies may be assigned to different users (or containers) but in Samba/AD there is an additional global domain wide policy. If the values differ, the user experience may appear inconsistent.
Step 2
On the DC Master create a file named user.ldif which contains all user entries as shown below:
dn: uid=test30,cn=users,dc=multi,dc=ucs
changetype: modify
delete: krb5PasswordEnd
dn: uid=test30,cn=users,dc=multi,dc=ucs
changetype: modify
delete: shadowMax
Step 3
Install the above file:
ldapmodify -c -D uid=Administrator,cn=users,dc=multi,dc=ucs -W -f user.ldif
It is expected that this command may output error messages for non-existing attributes and that’s ok:
modifying entry "uid=test30,cn=users,dc=multi,dc=ucs"
ldap_modify: No such attribute (16)
additional info: modify/delete: shadowMax: no such attribute