
	; password sync
	pam password change = no
@!@
if configRegistry.get('samba/user', None):
	binddn=configRegistry['samba/user']
	if not configRegistry.get('samba/user/pwdfile'):
		if binddn.startswith('cn=admin,'):
			file='/etc/ldap.secret'
		else:
			file='/etc/machine.secret'
	else:
		file=configRegistry.get('samba/user/pwdfile')
elif configRegistry.get('server/role') in [ 'domaincontroller_master', 'domaincontroller_backup' ]:
	binddn='cn=admin,%s' % (configRegistry['ldap/base'])
	file="/etc/ldap.secret"
else:
	binddn=''
	file=''

if configRegistry['server/role']=='domaincontroller_master' or (configRegistry.has_key('samba/domainmaster') and configRegistry['samba/domainmaster']=='yes'):
	print '	unix password sync = yes'
	print '	passwd program = /usr/share/univention-admin-tools/univention-passwd --binddn "%s" --pwdfile "%s" --user "%%u"' % (binddn,file)
else:
	print '	unix password sync = no'
@!@


	; ldap passwd sync = yes
	passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed*
	passwd chat timeout = 60

@!@
print '\tuse spnego = %s' % configRegistry.get('samba/use_spnego', 'yes')

print '\tclient use spnego = %s' % configRegistry.get('samba/client_use_spnego', 'yes')
@!@

	obey pam restrictions = @!@
if configRegistry.has_key('samba/pam/restrictions') and configRegistry['samba/pam/restrictions']:
	print '%s' % configRegistry['samba/pam/restrictions']
else:
	print 'yes'
@!@

@!@
print '\tencrypt passwords = %s' % configRegistry.get('samba/encrypt_passwords', 'yes')
@!@
