I configured password expiry to 60 days via samba-tool: # samba-tool domain passwordsettings show ... Maximum password age (days): 60 In ADUC the "password never expires" entry is *not* checked for my account. So it would expire, but pdbedit shows "never": # pdbedit -L -v muehlfeld ... Password must change: never If I check "password never expires" in ADUC, it shows: # pdbedit -L -v muehlfeld ... Password must change: Di, 19 Jan 2038 04:14:07 CET The userAccountControl LDAP entry entains 512 when the option is not checked, and 66048 when checked.