SAMBA and LDAP and objectClass: shadowAccount and password aging

[Bartlomiej Solarz-Niesluchowski]

Good Morning!

I have problem with samba and password changing.

I want to have both windows and unix password aging + synchronizing.

Unix and windows passwords I have in LDAP, samba is PDC.

I have setup PAM to change passwords (and passwords aging) when user 
uses passwd:
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    required    /lib/security/$ISA/pam_ldap.so use_authtok
password   required    /lib/security/$ISA/pam_smbpass.so 
try_first_pass  use_aut
htok smbconf=/etc/samba/smb.conf

and I setup samba to changing password from windows side:
passdb backend = ldapsam:ldap://zzzz/
pam password change = Yes
ldap admin dn = cn=Manager,dc=zzzz
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=zzzz

BUT
when I change password thru passwd there is changed:
shadowLastChange
sambaPwdCanChange
sambaLMPassword
sambaNTPassword
sambaPwdLastSet
userPassword

If I choose password changing thru windows i have:
sambaPwdCanChange
sambaPwdMustChange
sambaLMPassword
sambaNTPassword
sambaPwdLastSet
userPassword

SO:
1. from unix (passwd) password changing program there not correctly 
work setting WINDOWS password aging (it is not set
sambaPwdMustChange)
2. from Windows side there not working setting shadowLastChange

How setup system where works both Windows and Unix password aging?

Best Regards


--
Bartlomiej Solarz-Niesluchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl