
	; password sync
	pam password change = no
@!@
if configRegistry.get('samba/user', None):
	binddn = configRegistry['samba/user']
	if not configRegistry.get('samba/user/pwdfile'):
		if binddn.startswith('cn=admin,'):
			filename = '/etc/ldap.secret'
		else:
			filename = '/etc/machine.secret'
	else:
		filename = configRegistry.get('samba/user/pwdfile')
elif configRegistry.get('server/role') in ['domaincontroller_master', 'domaincontroller_backup']:
	binddn = 'cn=admin,%s' % (configRegistry['ldap/base'])
	filename = "/etc/ldap.secret"
else:
	binddn = ''
	filename = ''

if configRegistry.get('samba/role') == 'memberserver':
	print('	unix password sync = no')
elif configRegistry['server/role'] == 'domaincontroller_master' or configRegistry.get('samba/domainmaster') == 'yes':
	print('	unix password sync = yes')
	print('	passwd program = /usr/share/univention-admin-tools/univention-passwd --binddn "%s" --pwdfile "%s" --user "%%u"' % (binddn, filename))
else:
	print('	unix password sync = no')
@!@


	; ldap passwd sync = yes
	passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed*
	passwd chat timeout = 60

@!@
if configRegistry.is_false('samba/use_spnego', 'yes'):
	print('\tuse spnego = no')

print('\tclient use spnego = %s' % configRegistry.get('samba/client_use_spnego', 'yes'))
@!@

	obey pam restrictions = @!@
if configRegistry.get('samba/pam/restrictions'):
	print('%s' % configRegistry['samba/pam/restrictions'])
else:
	print('yes')
@!@
