We are trying to implement Safeboot Device Encryption whilst maintaining Novell Client login as primary gina (Location Profiles, Contextless login and all that good stuff)
We are happy for Safeboot to require sep logon at boot, but then disable it's SSO capability so we are provided with the NW Gina. We sync accounts from eDir to Safeboot using the LDAP connector - all OK
The issue we have is maintaining sync of the passwords. (BTW we have a parallel sync'd AD behind eDir and dual authentication)

We have configured the Safeboot client to effectively sync it's password with Windows, and allow the Novell client to sync its password change to Windows. This works fine for CTRL+ALT+DEL Change Password, but fails when changing an eDirectory expired password during login (i.e. the majority way)

We get the error:
"The Windows password entered is invalid"
Even though we have no restrictive policies in Windows accounts themselves (all done through NMAS Policies in eDir)
This seems to be an issue with the way that Safeboot is returning to Windows, when Windows is trying to sync the password with the one entered via the Novell client.
We have set the password 'Template' for Safeboot to be it's most basic, but still it doesn't seem to like out password (as per complex rule from NMAS policy)

Anyone else in this hole?
Any other suggestions?
We've come to accept that we cannot get safeboot to SSO via the Novell GINA because we NEED location profiles and don't want to be hassled with aliases to get 'round the contextless login issue.... We just want a std expired password change to sync!!

All ideas welcome!!

Many thanks