Winbind issues lock out accounts when passwd is changed
We have some hosted servers for one of our customers running SLES 11 SP3 that I joined to our AD environment with Windows Domain Membership in yast. In addition to the basic setup, I configured /etc/pam.d/sshd to only allows users to ssh in if they have the correct AD group. For the most part, this works great. However, any time a user that's signed into one of the servers previously changes their network password, all of the servers start reporting failed logons, even though the user isn't actively trying to sign in. This then causes the users account to lockout every few minutes. Is something in the winbind or kerberos services trying to authenticate these users constantly? If so, how can I stop that from happening any more?
I'm not sure if this may be leading to the issue at hand, but all of these users are setup with Yubikey's for two-factor authentication into the network. Instead of entering domain\username to sign in, they enter domain\<one-time-password> which is generated by the key. This then syncs up to their network account.