Hi,

What happens if you call

kinit sambauser@INTRA.EXAMPLE.COM

It asks for password and current password is working for getting kerberos ticket and not asking me to reset the password.

on the Linux command line. Are you asekd you for new password here? If
not Samba might not return the right error code to indicate that the
password is expired.

I posted this query in samba mailing list also but they told me that if Windows 7 client is working fine then Samba is working fine.

In this case it would be nice if you can send the
output of

KRB5_TRACE=/dev/stdout kinit sambauser@INTRA.EXAMPLE.COM

Here is the output of the above command,

# KRB5_TRACE=/dev/stdout kinit test

[2507] 1420693228.971649: Getting initial credentials for test@INTRA.EXAMPLE.COM

[2507] 1420693228.974468: Sending request (210 bytes) to INTRA.EXAMPLE.COM

[2507] 1420693228.976230: Sending initial UDP request to dgram 172.16.0.170:8880

[2507] 1420693228.981059: Received answer from dgram 172.16.0.170:8880

[2507] 1420693228.981167: Response was not from master KDC

[2507] 1420693228.981252: Received error from KDC: -1765328359/Additional pre-authentication required

[2507] 1420693228.981413: Processing preauth types: 16, 15, 2, 138, 136, 11, 19

[2507] 1420693228.981477: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params ""

[2507] 1420693228.981532: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params ""

Password for test@INTRA.EXAMPLE.COM:

[2507] 1420693231.111979: AS key obtained for encrypted timestamp: rc4-hmac/3CC1

[2507] 1420693231.112235: Encrypted timestamp (for 1420693231.112064): plain 301AA011180F32303135303130383035303033315AA105020301B5C0, encrypted F92A0E3BEF336E51C24C4CB9E8EB1ACE49ECA2BE32C9ABD207062898FD593268EEA31CF0185BE2B2B05F3A4A47328E9B1149AFA0

[2507] 1420693231.112272: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success

[2507] 1420693231.112292: Produced preauth for next request: 2

[2507] 1420693231.112341: Sending request (286 bytes) to INTRA.EXAMPLE.COM

[2507] 1420693231.112611: Sending initial UDP request to dgram 172.16.0.170:8880

[2507] 1420693231.116296: Received answer from dgram 172.16.0.170:8880

[2507] 1420693231.116448: Response was not from master KDC

[2507] 1420693231.116573: Processing preauth types: 3

[2507] 1420693231.116586: Received salt "��" via padata type 3

[2507] 1420693231.116597: Produced preauth for next request: (empty)

[2507] 1420693231.116616: AS key determined by preauth: rc4-hmac/3CC1

[2507] 1420693231.116694: Decrypted AS reply; session key is: rc4-hmac/4D55

[2507] 1420693231.116724: FAST negotiation: available

[2507] 1420693231.116729: Initializing FILE:/tmp/krb5cc_0 with default princ test@INTRA.EXAMPLE.COM

[2507] 1420693231.117523: Removing test@INTRA.EXAMPLE.COM -> krbtgt/INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM from FILE:/tmp/krb5cc_0

[2507] 1420693231.117542: Storing test@INTRA.EXAMPLE.COM -> krbtgt/INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM in FILE:/tmp/krb5cc_0

[2507] 1420693231.117710: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM: fast_avail: yes

[2507] 1420693231.117903: Removing test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/INTRA.EXAMPLE.COM\@INTRA.EXAMPLE.COM@X-CACHECONF: from FILE:/tmp/krb5cc_0

[2507] 1420693231.117920: Storing test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/INTRA.EXAMPLE.COM\@INTRA.EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0

--Regards

Ashishkumar S. Yadav