What happens if you call
kinit sambauser@INTRA.EXAMPLE.COM
on the Linux command line. Are you asekd you for new password here? If
not Samba might not return the right error code to indicate that the
password is expired.
In this case it would be nice if you can send the
output of
KRB5_TRACE=/dev/stdout kinit sambauser@INTRA.EXAMPLE.COM