You still have a "close enough" equivalent – if your accounts are stored in /etc/passwd, then hopefully all services using them do so through PAM and not through direct file access. So in that case you'll still have PAM honor the "lockout" via chage -l (or wherever it was) due to account/pam_unix enforcing the check, and you should still have it honor an invalid shell due to pam_shells.so enforcing that.

(And if the services directly access /etc/shadow, Slackware style, I would honestly say that's a self-inflicted problem...)

And additionally if you have PAM you can use /etc/security/access.conf to limit login to a specific user group or lock out other users/groups.

Unfortunately, a variety of common authentication systems don't use PAM. Apache htpasswd definitely doesn't, and I believe that Samba doesn't normally (it has its own separate database, which is normally synchronized to your Unix passwords). I'm not sure if common LDAP servers use PAM when you authenticate through them, but there you have the problem that often what matters is the specific LDAP client the user is authenticating to, not the LDAP server. And various things that authenticate via LDAP aren't even thinking about Unix users, so they definitely don't use PAM; they just consider LDAP an authoritative source of users, maybe user attributes, and authentication.

Apache trying to interpret the shell field seems like a huge conflation of concerns and the wrong kind of magic to me. Even login(1) doesn’t actually attempt that: all it does it run the specified executable. It is the executable which then implements some policy – not login(1). Of course this is not an option for Apache; I don’t think it’s feasible for it to somehow defer to the specified executable in the same way. “Then it should assign meaning based on the path name itself” seems entirely the wrong reaction, though.

What is the requirement lurking in the background here?

A UID is good for two things in Unix: owning files and owning processes.

Is the idea that you want an easy way to say “this UID should never be allowed to own a process”? That seems a reasonable desire, just the shell passwd field not the right layer to do it with.

Is the idea that the UID may own processes but you want to be able to restrict it to fixed set of what kind of process? A more complicated want, but again: reasonable but not for passwd.

Or is the idea that the UID may own arbitrary processes, but you just don’t want it to be able to log in? In that case I’m not sure I can picture why you’d want that. What makes logging in special? A shell is just a process, and can be used to create other processes; if it’s OK for the UID to own other processes that may do whatever, what makes shell especially undesirable? What even constitutes “logging in” really?

(As a sidebar, running through all the cases, but for the other thing a UID is good for: being able to limit a UID to owning processes but not files seems an interesting idea that might possibly be useful but I can’t actually imagine how. More obviously useful would be to be able to restrict file ownership to a certain set of files; on one hand, d’uh, this already exists and is called permissions; OTOH in the existing mechanism the file is the object on which access control is specified, and it might be potentially be useful and allow for better clarity to be able to specify policy based on the UID (“in the FS root only these accounts have access to create files” (with implicit MAC based on what is then created there) vs “this UID is prohibited from owning files anywhere but this directory” (which would apply regardless what sort of things anyone puts anywhere else in the FS)). For the login special case restriction, I can’t even think of what the file ownership parallel could be.)

and I believe that Samba doesn't normally (it has its own separate database, which is normally synchronized to your Unix passwords).

It still has the ability to call PAM for authorization, though (just like e.g. sshd still does call PAM for the authorization functions even if you log in via public-key and bypass PAM authentication).