diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 941a2e0..2749a9c 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1352,6 +1352,11 @@ _kdc_as_rep(krb5_context context,
     if(ret)
 	goto out;
 
+    if (!strncmp(server_name,"kadmin/changepw@",16)) {
+      /* Set change_pw flag for the client so that in kdc-glue.c accountExpire could be modified */
+      client->entry.flags.change_pw = 1;
+      
+    }
     ret = _kdc_windc_client_access(context, client, req, &e_data);
     if(ret)
 	goto out;
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 411e752..ef6d5a6 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -272,6 +272,13 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
 		}
 	}
 
+  if (entry_ex->entry.flags.change_pw && entry_ex->entry.flags.client) {
+    
+    struct ldb_val *v = ldb_msg_find_ldb_val(p->msg, "pwdLastSet");
+    char* oldExpire = v->data;
+    v->data="9223372036854775807";
+    v->length=19;
+  }
 	/* we allow all kinds of trusts here */
 	nt_status = authsam_account_ok(tmp_ctx, 
 				       p->samdb,