Created attachment 7302 [details] Backported Samba 4 patch source3/libads/kerberos.c installs an optional prompter function which enters the password, to work around an old Kerberos bug. When winbindd tries to get a ticket, the Kerberos library may call that function to prompt the user if necessary. In the case where the user's password has expired, Kerberos doesn't prompt for the password; it prompts for a new password twice. The prompter only returns the password once, so the Kerberos library sees that the entered passwords don't match. MIT Kerberos only tries again three times, but Heimdal loops forever (in init_creds_pw.c). Reproducable by creating a user in Active Directory with "User must change password at next logon" set, then get a ticket for that user with wbinfo -K. Commit 10989431e533bd60de242dbd78c4b62c4ace7812 in Samba 4 removes this prompter, and I can confirm that this fixes the problem when applied to Samba 3.
I think this has been fixed in master by b3931af2df293a9cb75f21cdb5555fb6725dff34 for Samba 4.5.