We have a Windows 2003 R2 server with a group policy set so once the user changes their password for the first time, the password never expires. However, starting with Samba 3.0.23a (the last known good version that I tested was 3.0.21c), the user gets a message saying their password has expired and it prompted to change it. This message goes away if we manually check the "Password never expires" in the active directory for that user, but we can't do that until after the user changes their password for the first time (otherwise it removes the "User must change password" check). The syslog says "pam_sm_acct_mgmt success but pam_winbind_new_authtok_reqd is set".
I tried 3.0.23a on both x86 and x86_64 platforms with the same results.
The temporary solution is to change the group policy to expire the password in 999 days, rather than never (or, as it turns out, is "0" days). It'd be nice if Samba could interpret the 0 days as "never" though...
*** This bug has been marked as a duplicate of 3969 ***