I have winbind setup on a RHEL6.4 host. It is properly peered to my AD and seems to be working fine. Users are able to login, authentication seems valid. My AD has a trust with another AD (for purposes of this, let's call it AD2). I want users of AD2 to be able to login to the RHEL box. When the user logs in as "AD2+username", the password is validated (if I put the wrong password, it tells me that it is invalid) however the server believes that the users account has expired. The trust relationship is tested and working. I've played with a few different things, I'm not really sure where to go from here. Any help is greatly appreciated. Thanks!

And for reference, since I'm sure it will be asked, here is my system-auth-ac file from pam.d:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

And also for reference, here are two different outputs from /var/log/secure:

Local AD:

Jan 6 14:46:11 linux-host-1 sshd[2109]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=AD+username
Jan 6 14:46:11 linux-host-1 sshd[2109]: pam_winbind(sshd:auth): getting password (0x00000010)
Jan 6 14:46:11 linux-host-1 sshd[2109]: pam_winbind(sshd:auth): pam_get_item returned a password
Jan 6 14:46:11 linux-host-1 sshd[2109]: pam_winbind(sshd:auth): user 'AD+username' granted access
Jan 6 14:46:11 linux-host-1 sshd[2109]: pam_winbind(sshd:account): user 'username' granted access
Jan 6 14:46:11 linux-host-1 sshd[2109]: Accepted password for AD+username from 127.0.0.1 port 51990 ssh2
Jan 6 14:46:11 linux-host-1 sshd[2109]: pam_unix(sshd:session): session opened for user username by (uid=0)

AD through trust:

Jan 6 14:46:33 linux-host-1 sshd[2137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=AD2+username
Jan 6 14:46:33 linux-host-1 sshd[2137]: pam_winbind(sshd:auth): getting password (0x00000010)
Jan 6 14:46:33 linux-host-1 sshd[2137]: pam_winbind(sshd:auth): pam_get_item returned a password
Jan 6 14:46:34 linux-host-1 sshd[2137]: pam_winbind(sshd:auth): user 'AD2+username' granted access
Jan 6 14:46:34 linux-host-1 sshd[2137]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set
Jan 6 14:46:34 linux-host-1 sshd[2137]: pam_winbind(sshd:account): user 'AD2+username' needs new password
Jan 6 14:46:34 linux-host-1 sshd[2137]: Accepted password for AD2+username from 127.0.0.1 port 51991 ssh2
Jan 6 14:46:34 linux-host-1 sshd[2137]: pam_unix(sshd:session): session opened for user AD2+username by (uid=0)
Jan 6 14:46:34 linux-host-1 passwd: pam_unix(passwd:chauthtok): user "AD2+username" does not exist in /etc/passwd
Jan 6 14:46:34 linux-host-1 passwd: pam_winbind(passwd:chauthtok): getting password (0x00000022)

I am experiencing the exact same issue. Did you figure out a solution?