A PAM_AUTH request is sent to the DC in the joined domain. If the authentication request was for a user from a trusted domain, and the flag WBFLAG_PAM_GET_PWD_POLICY is specified then the password policy from the joined domain is queried and returned. In case the PAM_AUTH request has been issued from the pam_winbind module that can lead to a wrong password expiration warning in pam_winbind, if the password of the users would be expired according the the joined domain policy, but it is not expired with the policy of the trusted domain.
Created attachment 13122 [details] backport to 4.5
Created attachment 13123 [details] backport to 4.6
Comment on attachment 13122 [details] backport to 4.5 Karolin, please add the patches to the relevant branches. Thanks.
(In reply to Andreas Schneider from comment #3) Pushed to autobuild-v4-{6,5}-test.
Created attachment 13135 [details] Additional patch for v4-6-test
Created attachment 13136 [details] Additional patch for v4-5-test
Karolin, please add the addtional patches too. Thanks.
(In reply to Andreas Schneider from comment #7) Pushed additional patches to autobuild-v4-{6,5}-test.
(In reply to Karolin Seeger from comment #8) Pushed to both branches. Closing out bug report. Thanks!