Comment 11 for bug 570944

Interesting. Short explanation of the parameters: the pam passwd stack asks for two passwords, one to authenticate and one as the new password.

try_first_pass makes pam_winbind try to use the authentication password provided to the previous module (pam_unix). If it fails, it will prompt for a new authentication password.

use_authtok makes pam_winbind use the new password as set by the previous module. If there is none, it will prompt for a new password to use.

Looks like the latter is failing: you don't get prompted for a new password ever if "use_authtok" is present.

Could you post the output and logs you get when changing winbind password and using "password [success=1 default=ignore] pam_winbind.so try_first_pass" ? I'll try to compare it with the output and logs you posted in Description.