The SWAT simplified interface used to change password, eg the 'swat -P', does not use the 'check password script' option in smb.conf, so users that change their password via web/SWAT interface can bypass password quality assurance checks. [i don't know if this is a general SWAT problem or triggerend only by the way of the -P option...] PS: please, remember to implement %u variables parsing as in https://bugzilla.samba.org/show_bug.cgi?id=5018 . Thanks.
Aarrgghh!!! I'm a stupid, please ignore/close this bug (if i'm not able to do so), all works as expected. Sorry.