When changing password on a user with corresponding PSO, password policy message contains domain password policy settings.
Changing password with Kerberos displays correct password policy.

It appears that winbindd now uses samr_ChangePasswordUser4 by default (if supported by server) which doesn't send DomInfo structure with user password policy and reject_reason. They were previously used by samr_ChangePasswordUser3 that now serves as a fallback.

This discrepancy may confuse users as the displayed password requirements aren't valid.

For example: pam_winbind reports required password length as 8, but kpasswd says it needs to be 10 (as in PSO).

# passwd testuser
passwd: updating all authentication tokens for user testuser.
Changing password for testuser
(current) NT password: 
Enter new NT password: 
Retype new NT password: 
Your password must be at least 8 characters; cannot repeat any of your previous 24 passwords; must contain capitals, numerals or punctuation; and cannot contain your account or full name; Please type a different password. Type a password which meets these requirements in both text boxes.
passwd: Authentication token manipulation error.

# kpasswd testuser
Password for testuser@SAMDOM1.ALT: 
Enter new password: 
Enter it again: 
Password change rejected: Password too short, password must be at least 10 characters long.