[Samba] Novell Client forces password change, Ver. 3.5.2. and LDAP

[Jörn Frenzel]

Dear all,

we have a strange behavior using Samba (Verson 3.5.2) as PDC with Open LDAP 
(Version 2.1.22) as backend and an old Novell-Client (version: 4.91 SP5) 
running on WinXP (SP3 and higher).

The old PDC (Version 3.0.28) was running over years with the same 
LDAP-Server as backend and with Novell installed on the clients.

We decided to migrate to Samba 3.5.2 , updated all the LDAP schemas 
according to Samba Version 3.5.2, setup an new 64Bit Ubuntu (10.4) and 
build the new Samba. Everything worked fine and the testclient (without 
Novell) could login without any trouble. But if i try to login on a 
Novell-Client (using nwgina.dll instead of msgina.dll), i'm forced to set a 
new password and this is what we don't want.

Users LDAP-Values for "sambaPwdMustChange" are quite old, but the 
LDAP-Value "sambaMaxPwdAge" for the object "sambaDomain" itself is set to 
"-1". As far as i understand, this should ever cover the 
"old-passwords-problem" and in indeed msgina.dll does not claim about old 
pwds.

But nwgina seems to act in a different way. As we noticed in the 
nwgina.log, it is first asking if username and password apply and then it 
is  asking about the password age.

We digged around in the code, looking for the point nwgina uses to ask 
about the password age. Unfortunately we found nothing.

Any help would be appreciated.

Regards,

Joern