I've tried to debug that for a while now, but I just don't get it.

firstly, I have a network with a mix of windows/RHEL5.2/solaris machine.
Active Directory is the main authentication/authorization server on a Win2K3R2 server.

Windows/RHEL5.2/solaris machine can log in using ldap/kerberos to their own account.

The thing that doesn't work is when a unix user try to change their AD password.

Code:
user>kpasswd
Password for useratDOMAIN.COM:
Enter new password:
Enter it again: 
Password change rejected.
The newly password entered meet the password requirement.

those are my config files :
krb5.conf
Code:
[libdefaults]
default_realm=DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc=true
[realms]
DOMAIN.COM = {
kdc=server.domain.com
admin_server=server.domain.com
default_domain=domain.com
kpasswd_server=server.domain.com
}
[domain_realms]
.kerberos.server=DOMAIN.COM
[domain_realm]
.domain.com=DOMAIN.COM
domain.com=DOMAIN.COM
[appdefaults]
pam={
debug=false
ticket_lifetime=36000
renew_lifetime=36000
forwardable=true
krb4_convert=false
}
ldap.conf
Code:
host x.x.x.x
base dc=domain,dc=com
binddn ldapbindatdomain.com
bindpw blabla1!
pam_member_attribute member
pam_password ad
nss_base_passwd dc=domain,dc=com?sub
nss_base_shadow dc=domain,dc=com?sub
nss_base_group dc=domain,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
system-auth
Code:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >=500 quiet
auth sufficient pam_krb5.so use_authtok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_krb5.so use_authtok
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so 
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
I also can't find logs about kerberos either.

thanks,