I say this because clients joined to the domain (run by a Samba PDC with an OpenLDAP backend) can change their passwords and it updates the NT/LM passwords in LDAP, thus verifying the functionality of smk5pwd, but it does not appear to enforce ppolicy restrictions. On the flip side of the coin, the user can change their LDAP password by invoking ldappasswd from a shell on the server, and are bound by the restrictions set forth by ppolicy (password length, strength, historical passwords, etc.).
The ppolicy overlay is adding extra functionality to the password extended operation. ldappasswd uses this. The restriction is not present if you update the password hash via the ldapmodify command. The key is in the extended operation. As an added tidbit only userPassword is monitored not any other attribute. Samba does password changes via an ldapmodify rather than an ldappasswd (unless you have ldap passwd sync = Only which I have never personally used so I have no tests to back this up). This would explain why LDAP has the policy enforcing and Samba does not.
My 'passwd program' in my smb.conf is "passwd program = /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com" - so it should be using ldappasswd, which is bound by ppolicy, correct?
You shouldn't need a "passwd program" when using an LDAP SAM.
I've tried 'ldap passwd sync = only', after my failures with 'ldap passwd sync = yes' lead me back to the documentation, however this yielded no success.
I'm pretty sure if you have "ldap passwd sync = yes" that your "passwd program" directive is irrelevant since this means Samba is doing an ldapmodify to set the NT, LM, and userPassword attributes - your passwd program isn't doing anything. If "only" doesn't work then I strongly suspect that your smk5pwd module is *not* working, otherwise "only" would be the only mode to make any sense. By setting "ldap passwd sync = yes" your, at best, doing the work of smbk5pwd twice.