--- samba-3.0.14a/source/nsswitch/pam_winbind.c	2005-02-25 18:59:30.000000000 +0100
+++ samba-3.0.14a-caib/source/nsswitch/pam_winbind.c	2005-04-25 11:43:14.000000000 +0200
@@ -506,7 +513,15 @@
      }
 
      /* Now use the username to look up password */
-     return winbind_auth_request(username, password, member, ctrl);
+     int result = winbind_auth_request(username, password, member, ctrl);
+     _pam_log(LOG_INFO, "pam_sm_authenticate: %d \n", result);
+     if ( result == PAM_NEW_AUTHTOK_REQD ||
+	  result == PAM_AUTHTOK_EXPIRED) {
+       // Activate flag to request for password change at account step        
+	pam_set_data( pamh, "WINBIND-NEW-AUTHTOK-REQD", 1, _pam_winbind_cleanup_func);
+	return PAM_SUCCESS;
+     }
+     return result;
 }
 
 PAM_EXTERN
@@ -526,7 +541,9 @@
 {
     const char *username;
     int retval = PAM_USER_UNKNOWN;
+    void *tmp = NULL;
 
+
     /* parse arguments */
     int ctrl = _pam_parse(argc, argv);
 
@@ -553,9 +570,17 @@
 		return PAM_IGNORE;
 	    return PAM_USER_UNKNOWN;
 	case 0:
-	    /* Otherwise, the authentication looked good */
-	    _pam_log(LOG_NOTICE, "user '%s' granted access", username);
-	    return PAM_SUCCESS;
+	    pam_get_data( pamh, "WINBIND-NEW-AUTHTOK-REQD", &tmp);
+	    if (tmp != NULL)
+	    {
+	       /* Otherwise, the authentication looked good */
+	       _pam_log(LOG_NOTICE, "user '%s' needs new password", username);
+	       return PAM_NEW_AUTHTOK_REQD;
+	    } else {
+	       /* Otherwise, the authentication looked good */
+	       _pam_log(LOG_NOTICE, "user '%s' granted access", username);
+	       return PAM_SUCCESS;
+	    }
 	default:
 	    /* we don't know anything about this return value */
 	    _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'",
@@ -570,6 +595,7 @@
 int pam_sm_open_session(pam_handle_t *pamh, int flags,
                 int argc, const char **argv)
 {
+	
         /* parse arguments */
         int ctrl = _pam_parse(argc, argv);
         if (ctrl & WINBIND_DEBUG_ARG)
@@ -610,6 +636,7 @@
 	 * First get the name of a user
 	 */
 	retval = pam_get_user(pamh, &user, "Username: ");
+	
 	if (retval == PAM_SUCCESS) {
 		if (user == NULL) {
 			_pam_log(LOG_ERR, "username was NULL!");
@@ -723,7 +723,7 @@
                lctrl = ctrl;

                if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) {
-                       ctrl = WINBIND_USE_FIRST_PASS_ARG | lctrl;
+                       ctrl = lctrl | WINBIND_USE_FIRST_PASS_ARG;
                }
                retry = 0;
                retval = PAM_AUTHTOK_ERR;