I'm not even sure this is the path I ought to be going down. If smbk5pwd has no knowledge of ppolicy, and password changes from Windows clients won't adhere to those restrictions with any combination of configuration options in any currently known universe, perhaps what I really need is an alternate strategy. I'm open to suggestion; my only requirements are that password changes from a Windows workstation be subjected to the ppolicy constraints, and that the LDAP and Samba passwords all be in sync.
I did some experiments last summer but it was quite disapointing. Even if a password change is rejected by the LDAP server, the windows workstation reports success, in addition it caches the suposedly new password which poses some further problems. Please let me know if you make some progress.
BTW be careful with 'ldap passwd sync = only' https://bugzilla.samba.org/show_bug.cgi?id=4901
Regards, Thierry.