
	; password sync
	pam password change = no
@!@
if configRegistry.get('samba/user', None):
    binddn = configRegistry['samba/user']
    filename = ('/etc/ldap.secret' if binddn.startswith('cn=admin,') else '/etc/machine.secret') if not configRegistry.get('samba/user/pwdfile') else configRegistry.get('samba/user/pwdfile')
elif configRegistry.get('server/role') in ['domaincontroller_master', 'domaincontroller_backup']:
    binddn = 'cn=admin,%s' % (configRegistry['ldap/base'])
    filename = "/etc/ldap.secret"
else:
    binddn = ''
    filename = ''

if configRegistry.get('samba/role') == 'memberserver':
    print('	unix password sync = no')
elif configRegistry['server/role'] == 'domaincontroller_master' or configRegistry.get('samba/domainmaster') == 'yes':
    print('	unix password sync = yes')
    print('	passwd program = /usr/share/univention-admin-tools/univention-passwd --binddn "%s" --pwdfile "%s" --user "%%u"' % (binddn, filename))
else:
    print('	unix password sync = no')
@!@


	; ldap passwd sync = yes
	passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed*
	passwd chat timeout = 60

@!@
if configRegistry.is_false('samba/use_spnego', 'yes'):
    print('\tuse spnego = no')

print('\tclient use spnego = %s' % configRegistry.get('samba/client_use_spnego', 'yes'))
@!@

	obey pam restrictions = @!@
if configRegistry.get('samba/pam/restrictions'):
    print('%s' % configRegistry['samba/pam/restrictions'])
else:
    print('yes')
@!@
