Comment 2 for bug 869501

I tried to reproduce the bug in precise, with latest updates (lightdm 1.1.9-0ubuntu1) and found this:

First of all, the unity-greeter does not have anymore an entry to allow login for "other" users than local ones. Since winbind domain users are not listed in /etc/passwd, the only possibility to login for such users is to manually add them to this file, after having obtained the data with "getent passwd".

Then, if I try to login as a domain user with the default PAM configuration set up by the various PAM modules, I obtain this:

1 - ******** (first enter expired password);
2 - "You need to change your password now"
    "Enter new Unix password" --> ******** (new password)
3 - "Retype new Unix password" --> ******** (new password)
4 - (login performed, but NT password is not changed)
5 - Subsequent logins are allowed with old NT expired password
    (without asking to change it) or with new Unix password

[In this case the content of /etc/pam.d/common-password is this:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
... ]

If I reverse the order of pam_unix.so and pam_winbind.so, I obtain this:

1 - ******** (first enter expired password);
2 - "You need to change your password now"
    "(current) NT password" --> ******** (expired password)
3 - "Enter new Unix password" --> ******** (new password)
4 - "Retype new Unix password" --> ******** (new password)
5 - "Invalid password, please try again"

[ In this case the content of /etc/pam.d/common-password is this:
password [success=2 default=ignore] pam_winbind.so use_authtok
password [success=1 default=ignore] pam_unix.so obscure sha512 try_first_pass
... ]