[Samba] pam_winbind.so user expired password config for Solaris /etc/pam.conf

Thu Jan 26 21:54:32 GMT 2006

I'm trying to configure my Solaris 9 pam.conf for CDE login/password
expiration using
ADS security on W2003.  If my AD account password is in good standing, 
my config works great in /etc/pam.conf.  However - I'm having trouble
getting it to recognize that my password in AD has expired to ask me
to reset it on the CDE screen.  With the config below - it just tells
me "login incorrect".  Any ideas?

My /opt/samba/smb.conf file looks like:

[global]
        workgroup = QACCESST
        realm = QACCESST.ADTEST.AD.LAB
        server string = %h server (Samba %v)
        security = ADS
        update encrypted = Yes
        obey pam restrictions = Yes
        enable privileges = Yes
        pam password change = Yes
        passwd program = /bin/passwd %u
        username map = /etc/samba/smbusers
        unix password sync = Yes
        log level = 5
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 500-100000000
        idmap gid = 500-100000000
        template shell = /bin/bash
        winbind cache time = 10
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        winbind nested groups = Yes

[homes]
        valid users = %S
        read only = No
        browseable = No

/etc/nsswitch.conf:

passwd:     files winbind
group:      files winbind
hosts:      files dns winbind
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system
will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files

/etc/pam.conf (snipped for the dtlogin section only):

# CDE login and screenlock
dtlogin         auth            sufficient      pam_winbind.so
debug   use_first_pass  use_authtok
dtlogin         auth            requisite       pam_authtok_get.so.1
debug
dtlogin         auth            required        pam_dhkeys.so.1
debug
#dtlogin                auth            optional        pam_krb5.so
use_first_pass  creds   debug
dtlogin         auth            sufficient      pam_unix_auth.so.1
debug   try_first_pass
#dtlogin                auth            sufficient
pam_dial_auth.so.1      debug
#dtlogin                account         requisite       pam_roles.so.1
debug
#dtlogin                account         requisite
pam_projects.so.1       debug
#dtlogin                account         sufficient
pam_unix_account.so.1   debug
dtlogin         account         required        pam_winbind.so
use_authtok
#dtlogin                password        sufficient      pam_dhkeys.so.1
debug
#dtlogin                password        requisite
pam_authtok_get.so.1    debug
#dtlogin                password        requisite
pam_authtok_check.so.1  debug
#dtlogin                password        sufficient
pam_authtok_store.so.1  debug
dtlogin         password        required        pam_winbind.so
debug   use_authtok
dtsession       auth            sufficient      pam_winbind.so
debug   try_first_pass
dtsession       auth            required        pam_unix.so.1

Thanks in advance!
Bruce