If you have the ability to build netatalk from source code, can you please try this patch?
https://github.com/Netatalk/netatalk/pull/2401 The getting started guide for building from source is here: https://netatalk.io/install What this patch does, is to treat PAM_IGNORE as a successful return code since this is a common use case for PAM with an AD backend. Discussion in https://bbs.archlinux.org/viewtopic.php?id=306146
