We have a problem with password expiration in our eDirectory/DSfW tree.

User password are set to expire every 365 days. User logs in and receives the message telling her to change the password. User changes password, everything seems to go successfully. Next time the user logs in, they give the new password and Novell login succeeds. But then they are prompted again for the domain password. They need to give the previous password in order to successfully log in to domain.

diagpwd doesn't seem to show any problems with the password - the password change time is correct and I can't see any obvious problems:

Object DN: cn=Someone,ou=IT,o=TLV
        EMail: [NONE]
        Last Changed Date: 2013-01-14 06:10:17 Z
        Password Status: Enabled, Set
        Distribution Password Status: Set
        Simple Password Status: Set
        Password Policy DN: cn=Domain Password Policy,cn=Password Policies,cn=System,o=TLV
        Password Policy DN: cn=Domain Password Policy,cn=Password Policies,cn=System,o=TLV
        Options: 0x340 (832)
        Universal Password enabled
        Advanced policy enabled
        Sync NDS
        Sync Simple
        Synch external
        Not user readable
        Not admin readable
The problem only occurs when the user changes password during grace logins. If the user simply changes password by Ctrl+Alt+Del - Change Password, then the domain password also gets changed and they can log in by entering password only once. Even if they change the password on a workstation that is not joined to domain, they can next time successfully log in at a workstation that is joined to domain.

Our DSfW servers are, admittedly, rather outdated, running OES2SP1. Other servers in the tree are NW65 with eDir 8.8 SP5 and NW51 with eDir 8.7.3. Workstations are running Novell Client 4.91 SP5 (WinXP) and Novell Client 2 SP2 (Windows 7). The problem affects users with both client versions. I'm pretty sure there was a time when this problem didn't exist, but it's hard to pinpoint exactly when it started to happen.