Comment 6 for bug 114620

Sorry, but this is not a PAM bug. Password changing is a completely separate application entry point from authentication, in PAM; it is the responsibility of the calling application to handle a return of PAM_NEW_AUTHTOK_REQD from pam_acct_mgmt(), indicating that the user must change his password. If gdm isn't doing that, that's a gdm bug.

If gdm *is* handling PAM_NEW_AUTHTOK_REQD correctly, then the problem is that this is never the value that's being returned, which means one of two things: either the PAM module in use is buggy (which I don't think is the case here because I've used pam_winbind+password expiry fine in the past with no problems), or the Windows domain is configured to immediately lock accounts out upon password expiry. The last case is certainly not something that we can fix...

Separately, there seems to be a wishlist request (in the upstream bug) to allow a user to change their password from within GDM itself even when it's not expired. I don't know how that would work, because the information that the password will expire /soon/ is entirely advisory and not part of the PAM spec, so the user would never see this information until after they'd successfully logged in. That part is probably a general GNOME bug rather than a GDM bug, then.