[Samba] pam_winbind: user needs new password

[Eric]

Hi,

I just upgraded from Mandriva 2009.0 (Samba 3.2.3) to Mandriva 2009.1
(Samba 3.3.2), keeping all the same config files I had before. I use
pam_winbind to authenticate users against MS Active Directory.
Everything was working perfectly prior to the upgrade, and now
everything seems to be fine except for one thing: no user can have
access due to the following errors (taken from auth.log):

May  1 10:27:25 poste161-186 su: pam_winbind(su:auth): getting password
(0x00000010)
May  1 10:27:25 poste161-186 su: pam_winbind(su:auth): pam_get_item
returned a password
May  1 10:27:25 poste161-186 su: pam_winbind(su:auth): user 'emartel'
granted access
May  1 10:27:25 poste161-186 su: pam_winbind(su:account):
pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
May  1 10:27:25 poste161-186 su: pam_winbind(su:account): user 'emartel'
needs new password
May  1 10:27:27 poste161-186 su: pam_tcb(su:chauthtok): Credentials for
user emartel unknown

So access is granted, but for whatever reason the user (any user) is
informed by the console that his password has expired and he needs to
change it. If he tries to change it at the console as proposed, not only
he still doesn't get access but the password is not changed whatsoever.
I googled this, but all I found were old infos regarding a bug in Samba
3.0.2x; has this bug returned? Am I missing something? Is that a
Mandriva issue? Is there any workaround that doesn't involve playing
with AD settings?

Thanks!

Eric Martel
Québec, Canada