source of samba-3.4.0pre2: in nsswitch/pam_winbind.c:917 there is a check (policy->expire == -1) that can never be satified since policy is wbcUserPasswordPolicyInfo and expire is defined in nsswitch/libwbclient/wbclient.h as uint64_t. Since an expiry of "never" is translated to the biggest number I think the test should be something like (policy->expire + 1 == 0) The same bug appears in samba 3.3.x where the check was (policy->expire <= 0) and prevents logins in particular configurations with security = ADS.
This is a duplicate, just for 3.4 (bug #6253 is for 3.3) *** This bug has been marked as a duplicate of bug 6253 ***