Kerberos password forced expiration fail

[scanell]

I am running the following configuration:
Kerberos 1.4.0
Solaris 9
/usr/lib/ssh/sshd, /usr/bin/ssh
/usr/lib/security/pam_krb5.so.1

My /etc/pam.conf for sshd is:
sshd    auth sufficient         pam_krb5.so.1 try_first_pass
sshd    auth required           pam_unix.so.1

I've even included the password entry into the pam.conf
other   password sufficient     pam_krb5.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

Here is my problem.  Using kadmin, I force expire the password using:

kadmin> modprinc -pwexpire now <principal>

After expiration, I then use ssh to log onto a kerberos client,
using the expired kerberos password. 
I've modified the local shadow file so that the password field is an "*"!

After expiration, I am still able to log onto the server.

If I expire the shadow file, then I am challenged for a password change...
the password change, via the pam.conf password entry will change the
kerberos password and leave the shadow file with the 0 in the time field of
the shadow file, thus the next time a password is requested, it will again
show the password has expired for that server.

How do I get the sshd / pam_krb5.so.1 to recognize that the kerberos
password has expired???

kinit will show that the password in kerberos has expired... but that 
doesn't
help me to insure that users change their password every 90 days.

Steve