shadowMax means how long the password will remain valid.  "0" means never.  You need to manipulate the attribute shadowLastChange, which says when the password was last changed.  Together with the shadowMax attribute, you can determine when the password will expire.
Dorit.

On 5/31/2012 11:04 AM, zingalo wrote:
good morning, I've a question about password managing in ldap with samba. I've seen that samba schema's attributes don't have effect on password managing. Only shadowAccount's attribute do it. So i changed shadowMax to "0" for a user and at the next login it tells me

"You are required to change your password immediately (password aged) LDAP administrator password:  "

After entering ldap admin's password it tells me

"Authentication token manipulation error".

Why? the admin'password is correct, am sure

Thanks