“check password script” option does not reliably pass parameters

the purpose of my “check password script” is, amongst others, to check if a new password contains relevant portions of the username. Therefore, it is called like this from smb.conf:

check password script = /usr/local/sbin/checkpw.sh %U

I did expect it to pass the username to the script.

But most of the times, the script receives not the username, but the computer account name of the specific user, or even nothing at all.

I verified this by logging what the script gets:

username=$1
log "user $username initiated password change"

and this is the result:
/var/log/syslog:Nov 4 08:07:57 <hostname> checkpasswd: user <client hostname> initiated password change
/var/log/syslog:Nov 4 08:35:53 <server hostname> checkpasswd: user <client hostname> initiated password change
/var/log/syslog:Nov 4 08:37:35 <server hostname> checkpasswd: user <client hostname> initiated password change
/var/log/syslog:Nov 4 08:56:49 <server hostname> checkpasswd: user <empty> initiated password change
/var/log/syslog:Nov 4 08:56:49 <server hostname> checkpasswd: ERR complexity score not met (2/3)
/var/log/syslog:Nov 4 08:57:51 <server hostname> checkpasswd: user <empty> initiated password change
/var/log/syslog:Nov 4 08:58:30 <server hostname> checkpasswd: user <empty> initiated password change
/var/log/syslog:Nov 4 09:23:49 <server hostname> checkpasswd: user <empty> initiated password change
/var/log/syslog:Nov 4 09:24:44 <server hostname> checkpasswd: user <client hostname> initiated password change
/var/log/syslog:Nov 4 09:24:44 <server hostname> checkpasswd: ERR complexity score not met (2/3)
/var/log/syslog:Nov 4 09:26:01 <server hostname> checkpasswd: user <client hostname> initiated password change