2 files changed, 10 insertions, 0 deletions

diff --git a/source3/lib/pam_errors.c b/source3/lib/pam_errors.c
index f74e4bf176..e1d02151a6 100644
--- a/source3/lib/pam_errors.c
+++ b/source3/lib/pam_errors.c
@@ -67,6 +67,7 @@ const static struct {
 	{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
 	{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
 	{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+	{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
 	{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
 	{NT_STATUS_OK, PAM_SUCCESS}
 };
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index b192a347f4..4739cfbf7a 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -155,6 +155,14 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
 		/* incorrect password */
 		_pam_log(LOG_WARNING, "user `%s' denied access (incorrect password)", user);
 		return retval;
+	case PAM_ACCT_EXPIRED:
+		/* account expired */
+		_pam_log(LOG_WARNING, "user `%s' account expired", user);
+		return retval;
+	case PAM_AUTHTOK_EXPIRED:
+		/* password expired */
+		_pam_log(LOG_WARNING, "user `%s' password expired", user);
+		return retval;
 	case PAM_USER_UNKNOWN:
 		/* the user does not exist */
 		if (ctrl & WINBIND_DEBUG_ARG)
@@ -577,6 +585,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 		retval = winbind_auth_request(user, pass_old, ctrl);
 		
 		if (retval != PAM_ACCT_EXPIRED 
+		    && retval != PAM_AUTHTOK_EXPIRED
 		    && retval != PAM_NEW_AUTHTOK_REQD 
 		    && retval != PAM_SUCCESS) {
 			pass_old = NULL;