Index: release-3-0-23a/source/nsswitch/pam_winbind.c
===================================================================
--- release-3-0-23a/source/nsswitch/pam_winbind.c	(revision 17399)
+++ release-3-0-23a/source/nsswitch/pam_winbind.c	(working copy)
@@ -449,7 +449,7 @@
 	/* handle the case where the auth was ok, but the password must expire right now */
 	/* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */
 	if ( ! (response.data.auth.info3.acct_flags & ACB_PWNOEXP) &&
-	    (response.data.auth.policy.expire > 0) && 
+	    (response.data.auth.policy.expire != -1) && 
 	    (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire < time(NULL))) {
 
 		ret = PAM_AUTHTOK_EXPIRED;