Full descriptions are in the following two threads from the Samba list, including examples, proof of concepts, and suggestions for fixing the problem:
Basically, instead of using the response that LDAP gives Samba as to why the ppolicy constraints were violated, Samba looks in it's own database for what it thinks the return code means. This means all ppolicy constraints have to be duplicated in Samba, which is simply not scalable or maintainable.
looking at the code it can't happen any more what the logs in the list posting showed with recent samba releases. Do you really see NT_STATUS_UNSUCCESSFUL being returned when LDAP gives a LDAP_CONSTRAINT_VIOLATION ?
I'm resolving this as a dup of #5163. If you really still see this problem with recent samba releases please reopen the bug and attach a network sniff and level 10 log of it.
*** This bug has been marked as a duplicate of bug 5163 ***