usrmgr, which creating a new user ticking "user must change password on next logon" doesn't take effect when using smbk5pwd overlay This is because smbk5pwd changes sambaPwdLastSet to the current time during the EXOP password change. In order for this to work samba must change the password first(via exop), then set sambaPwdLastSet to zero.
looking into this one.
Günther, are you still in the mood for looking into this?