Active Directory users unable to change expired password on logon

I have Ubuntu 20.04 domain joined in a test-lab environment. The problem is even if a user is set to change their password upon logon via Windows active directory the user is never prompted to do so. I have tried multiple domain join methods with the same result including the official Ubuntu "Integration of Ubuntu Desktop with Microsoft Active Directory" white paper

https://ubuntu.com/engage/microsoft-active-directory

Using this SSSD and Realmd AD joined method the user is denied logon and receives a "Sorry, that did'nt work. Please try again" message.

When using a Winbind and Samba joined AD system the user receives an "expired password" warning but is allowed to logon to the system without being forced to change the password.

Below are the WinBind steps with comments on each step:

#hostname rename

#!/bin/bash
echo Please enter new hostname
read hostrename
sudo hostnamectl set-hostname $hostrename &&
sudo rm -f /etc/hosts
sudo cat > /etc/hosts << EOF
127.0.0.1 localhost
127.0.1.1 $hostrename.TESTDOMAIN.INC $hostrename

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

EOF

#install needed packages

sudo apt-get install bind9-dnsutils &&
sudo apt-get install ntpdate &&
sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind &&

#remove and create krb5.conf with specific variables
sudo rm -f /etc/krb5.conf
sudo cat > /etc/krb5.conf << EOF
[libdefaults]
        default_realm = TESTDOMAIN.INC

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        TESTDOMAIN.INC = {
                kdc = DC01.TESTDOMAIN.INC
                admin_server = DC01.TESTDOMAIN.INC
        }

[domain_realm]
        TESTDOMAIN = TESTDOMAIN.INC
        .testdomain.inc = TESTDOMAIN.INC

EOF

#remove and create samba files with specific variables

sudo rm -f /etc/samba/smb.conf &&
sudo cat > /etc/samba/smb.conf << EOF
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.INC
security = ADS
dns forwarder = 10.0.0.218
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
EOF
break

#restart services

sudo systemctl restart winbind smbd nmbd

#home directory enablement

pam-auth-update --enable mkhomedir

#nssswitch removal and modification to enable domain accounts

sudo rm -f /etc/nsswitch.conf
sudo cat > /etc/nsswitch.conf <<EOF
passwd: files systemd winbind
group: files systemd winbind
shadow: files winbind
gshadow: files winbind

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
EOF
echo done

Since this is a test environment I manually added my DNS server in Network manager

After the configuration script I tested authentication with the following domain account:
kinit administrator

After the configuration script I manually joined with the following line:

sudo net ads join -U administrator

This joined the system to the Windows Domain TESTDOMAIN.INC with working DNS