Comment 0 for bug 952771

Gnome Screensaver should handle expired password tokens. Currently it does
not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens).
Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue:
https://bugzilla.gnome.org/show_bug.cgi?id=648875
The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there).
Both solutions using this patch (with and without "passwd required pam_permit.so") tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected.
This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream
yet.