In pam_winbind we only can check if an account expired or has been disabled if we try to authenticate. It should be possible to check if we can login without authenticating.
It is possible that an admin allows to login with ssh public keys so the user authentication is already done. As winbind can't check if the user is allowed to login it bypasses the check if the account is allowed to login.
This means we need to extend the winbind protocol. winbind needs to check the account information with:
samr_QueryUserInfo -> UserControlInformation
ads_find_samaccount (gets the userAccountControl flags)
Then we need to extend libwbclient to be able to get the information and then implement it in pam_winbind.