Leopard’s Login Window Doesnt Get AD Password Expiriation Warnings

Has anyone else having problems getting AD password expiration notices in AD environments on Leopard Macs? It used to work for me in Tiger, but Im not getting the warnings when I log into Leopard Macs. After logging into the domain, AD aware apps such as Entourage 2008 warns me about my password expiration, but the OS X Login window isn't prompting me with the expected "Your password will expire in x days." Just for fun, I unearthed an older PPC Mac that is still running Tiger (10.4.11) and the Login Window does give me the "Password will expire in x Days" warning as expected. I filed a bug report with Apple and they closed it and said basically "Works fine for us. Go away now". Nice. Notes: All of my users have 'managed mobile' user accounts for offline access (laptop users, etc) All my Macs are running 10.5.2. None of them can get AD password notices at the Login Window. All my Macs are bound to a simple AD 2003 domain. No complicated forest. 1 single domain. Vanilla. When I log into my AD domain from a Leopard Mac, I get a TGT from the KDC (which is an Active Diectory domain controller) as expected. Thus, Kerberos appears to be working. (see below). SSO to other services such as SMB file servers works as expected. DNS works fine (forward and reverse lookups are resolving as expected) All of my Mac desktop clients are getting their IPs via DHCP (not static) I did notice that, based info in the Kerberos Utility, my TGT appears to be forwardable and proxiable in Tiger test Macs, but in Leopard the TGT I receive from my AD DC (KDC) isnt forwardable nor proxiable. So, as a test, I edited the /Library/Preferences/edu.mit.kerberos file on a test Leopard box, and made the settings identical to the Tiger Mac, but that had no effect on the Leopard Login Window. Any help is appreciated.