With an account which password is expired it's impossible to change the password with kpasswd against a s4 domain controller. It's possible with w2k3. The core of the problem lies in the the function authsam_account_ok of source4/auth/sam.c that do not allow exception for the verification of the password expiration.
Created attachment 4283 [details] Proposed patch for disactivating the check of password expiration. With this patch, the pwdLastSet is set for the request to the maximum value so that the check of password expiration will not fail.
This is really nice debugging work! I think we need to pass in the server principal (or more particularly, it's record) when checking the password expiry. I think overloading of the flags is the wrong approach, but shows the issue nicely.
Please note that when changing the password through windows even when it's expired works. I debuged it a little bit and it turns out that when trying to change an expired password the pwdLastSet is automagicaly set to the currenttimestamp (but I was unable to find how it's done in the code)
Windows uses SAMR, not kpasswd for password changes, so this check (for password expiry) is not applied. I'll in fact be adding more checks to the SAMR password change code (for security), but of course not adding this bug there too. Expect a fix for the Kerberos case soon
Created attachment 4289 [details] Patch to fix the problem properly This is a much better fix. Testing welcome! (I need to figure out how to best test this in a script)
Fixed in 19413c52495877d54c90c60229568d0077fda30b