password expiry and ldap

[=?utf-8?q?V=C3=A1clav_H=C5=AFla?= <ax@natur.cuni.cz>]

Hi,
  I use ldap as backend for heimdal. I have accounts in ldap with:
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: sambaSamAccount

created by smbldap-adduser, then loaded with kerberos data using kadmin -l 
load

So far it looks well, i can get tickets, when I change password w. kpasswd the 
sambaNTPassword gets updated too. Problem is with password expiration: there 
is both krb5PasswordEnd and sambaPwdMustChange (set right when i loaded the 
dump of old database). However, when viewed in kadmin the field "Password 
expires:" is set to never, and both ldap fields are happily ignored (i can 
see in logs that the attrs are fetched from ldap). When I try to modify 
password expiry, I get error:

kadmin> mod --pw-expiration-time=2006-08-16 ax
kadmin: kadm5_modify_principal: Unknown error 36150281

I am not sure what this error means, but accoring to the logs, no write is 
tried to ldap and last attibutes accessed are creator/modifiet name and 
timestamp (which are afaict nonexistent, and not present in any schema file I 
have). 

Can please anybody give me any hint? Is password aging even supposed to work 
in this config?

I have heimdal-0.7.2 and slapd 2.3.24 here.

Ax
-- 
Václav Hůla,
správce unixových serverů
Přírodovědecká fakulta
Univerzita Karlova v Praze