Login from a Windows client is no longer possible 24 hours before the account expires.
A kinit test says the credentials have been revoked
kinit: krb5_get_init_creds: Clients credentials have been revoked
Please check Bug 53012. As far as it is not fixed (and you have not installed the fixing errata) there is a gap in the expiry date of samba and ldap of exactly 86400 seconds or simply one day.
If you want to schedule an expiry date f.e. for leaving employees, set the expiry date one day ahead. So if the employee will not work in the company at the 1st of February and will work on his last day, the 31st of January set the expiry date on 2nd of February in UMC.