samba - Sep 2011 - reseting password and policy; /etc/passwd; /var/lib/samba/

Hi all, 

this is my setup

OS: Debian Squeeze (6.0.2)
Samba: 3.5.6
LDAP: 2.4.23

and I have few questions about things I dont really understand and
havent found clear answer using google and searching mailng list till
now:

1) is there a way to get some password changing tool (smbpasswd,
ldappasswd, smbldap-passwd, etc.) obey account policy, which I set using
pdbedit (and works fine when I try to change password from Windows, but
not using those utilities) without knowing old password? I need reset
userses passwords. Here is, how those tools work for me:

smbpasswd - obeys account policy when run as non root, but I need to
know old password; as root it bypasses smbd afaik, so no policy (?)...

ldappasswd -x -S -W -D "admin dn" "user dn" - does not
change
sambaNTPassword (creates/changes userPassword)

smbldap-passwd -s user - no policy

Is there some other tool which can accomplish this task?

2) do I need /etc/passwd if I use LDAP as a backend, or is it sufficient
to have posixAccount and shadowAccount in LDAP? 

3) when I use LDAP as a backend, is it safe to delete .tdb files
in /var/lib/samba/ and leave only passdb.tdb (which is required for
storing ldap password, afaik)? Or else, can I delete
whole /var/lib/samba/ dir and store the password somewhere else? (Is
that password even stored there?)

Could you please clarify it to me?


Thanks a lot in advance, Rado.

in the past, I've used a wrapper script round smbldap-passwd to enforce
policy for complexity.

I'd be interested to know if there's another way these days.