It sounds like you just enabled kerberos auth logins, you haven't done full AD integration with WinBind and pam. In other words, are you creating local accounts for each user? Without winbind you won't be able to honor the Windows password controls. You've probably just passed the local password expiration policy of your local accounts (which are still authenticating with AD Kerberos).
As some posters pointed out, you need to change the local password expiration default for new users. (Disable it for new users).
esxcfg-auth --passmaxdays=-1
However, this will not affect existing users IIRC. You'll have to update existing users as well I believe. (Disable it for existing user).
chage -M -1
Your other option is to "upgrade" your AD integration to full winbind integration as a few other posters indicated. The root and vpxuser account have no aging.
I'm guessing esxcfg-auth --passmaxdays may just edit /etc/login.defs (usual place where the password expiration default settings are kept). Have to take a look at it when I get a chance.
Reuben Stump | http://www.virtuin.com | @ReubenStump
