samba - Nov 2003 - changing password for w2k user logged in linux station (winbind)

This is in the winbind documentation

We divide the unified logon problem for UNIX machines into three smaller
problems:

1. Obtaining Windows NT user and group information
2. Authenticating Windows NT users
3. Password changing for Windows NT users

The winbind system provides a simple and elegant solution to all three
components of the unified logon problem.



First two things are explained, with pam configuration examples.  I have 
got them to work fine and dandy.  The problem is the third, for which I 
hardly find any bits of useful information googling the net.

So, I have a w2kAD user that's logged in a linux machine.  How does he 
change his password?

Have tried this:

/etc/pam.d/passwd

auth     sufficient    pam_unix2.so    nullok use_first_pass
auth     sufficient    pam_winbind.so
account  sufficient    pam_unix2.so
account  sufficient    pam_winbind.so
#password required    pam_pwcheck.so    nullok
password sufficient   pam_unix2.so    nullok use_first_pass use_authtok
password sufficient    pam_winbind.so
#session  required    pam_unix2.so

Also, I have added
password sufficient pam_winbind.so
in /etc/pam.d/login and /etc/pam.d/xdm

I'm not sure that all of the above is ok, in fact I'm sure it's not
ok.

If I type "passwd" as user w2kAD, it says "Unknown user".

As local unix user, "passwd" tries to change the NT password, which I 
don't want, and it can't.

I know about smbpasswd -r PDC -U username, but I need better integration 
with windows.  For example, will I be able to get password expiry to 
work, by setting it up in w2kAD?  So that the linux box will prompt the 
w2k user for a new password?  Is this doable?

Thanks.