Logging in to domain account when password needs to change doesn't enforce password to change

I have Leap 42.1 installed with gnome desktop. I use a samba domain account to login with, and when my password is set to expire with:

sudo net sam set pwdmustchangenow username yes

I notice that the change of password isn’t handled as I would expect. I was using GDM by default, and using that it tells me “Your password must change now” or something similar. I am then logged in to the desktop environment without being offered a way to change my password.

I have installed and tried a few other logins to test those, KDM doesn’t even tell me my password needs to change and lets me in, SDDM tells me my password should change and logs in, lightdm tells me my password needs to change and then gets stuck without letting me login.

Can anyone advise how to work around or fix this issue? I thought it was an issue with the login manager, but after doing some reading it should be handled by the pam module rather than the login prompt, and the login just does what it is told by pam.

From journal:

Jun  20 17:13:35 user-lenovo gdm-password][2217]:  pam_unix(gdm-password:auth): authentication failure; logname= uid=0  euid=0 tty= ruser= rhost=  user=SMB01\username
Jun 20 17:13:35 user-lenovo gdm-password][2217]: pam_winbind(gdm-password:auth): getting password (0x00000390)
Jun 20 17:13:35 user-lenovo gdm-password][2217]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Jun  20 17:13:35 user-lenovo gdm-password][2217]:  pam_winbind(gdm-password:auth): request wbcLogonUser failed:  WBC_ERR_AUTH_ERROR, PAM error: PAM_NEW_AUTHTOK_REQD (12), NTSTATUS:  NT_STATUS_PASSWORD_MUST_CHANGE, Error message was: Must change password
Jun 20 17:13:35 user-lenovo gdm-password][2217]: pam_winbind(gdm-password:auth): user 'SMB01\username' new password required
Jun  20 17:13:35 user-lenovo gdm-password][2217]:  pam_unix(gdm-password:session): session opened for user SMB01\username  by (unknown)(uid=0)

I realised shortly after posting about this that I raised this as a bug around 6 months ago when I first noticed this issue. Now we have more and more users moving to openSuSe, this is becoming a bigger issue. What is the chance of getting someone to look in to fixing this issue as it’s a major security concern?

https://bugzilla.opensuse.org/show_bug.cgi?id=961653