This module works well in auth and password fields. There are problems in the account management. A bug is still reported for this problem for the 3.0.4 version (n.1524). In that bug report (n. 1524), Scott Barker says: "When authenticating a user for login, if a new password is required, pam_authenticate should return PAM_SUCCESS, and pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD". In my tests (version 3.0.20b), when a password is expired on AD Domain Controller, pam_sm_authenticate returns "4" (logging "internal module error") and pam_sm_acct_mgmt is never called. I tried patch "972" but login always succeded, while whith patch "1436" is always denied.
If it is possible for you, please re-test with the pam_winbind module that is now in trunk. It should be fixed there.
Fixed in Subversion, please reopen if it is still an issue for you.