Interesting. Short explanation of the parameters: the pam passwd stack asks for two passwords, one to authenticate and one as the new password.
try_first_pass makes pam_winbind try to use the authentication password provided to the previous module (pam_unix). If it fails, it will prompt for a new authentication password.
use_authtok makes pam_winbind use the new password as set by the previous module. If there is none, it will prompt for a new password to use.
Looks like the latter is failing: you don't get prompted for a new password ever if "use_authtok" is present.
Could you post the output and logs you get when changing winbind password and using "password [success=1 default=ignore] pam_winbind.so try_first_pass" ? I'll try to compare it with the output and logs you posted in Description.
Interesting. Short explanation of the parameters: the pam passwd stack asks for two passwords, one to authenticate and one as the new password.
try_first_pass makes pam_winbind try to use the authentication password provided to the previous module (pam_unix). If it fails, it will prompt for a new authentication password.
use_authtok makes pam_winbind use the new password as set by the previous module. If there is none, it will prompt for a new password to use.
Looks like the latter is failing: you don't get prompted for a new password ever if "use_authtok" is present.
Could you post the output and logs you get when changing winbind password and using "password [success=1 default=ignore] pam_winbind.so try_first_pass" ? I'll try to compare it with the output and logs you posted in Description.