Is lckpwdf() and ulckpwdf() intended to be used only for apps directly accessing the shadow password file?
More precisely, my question is: If I call the usual API such as getspnam() or getspent(), should I be calling lckpwdf() first, or is that automatically done by getspnam(), etc...?
You don't need to use lckpwdf() unless you are planing on making changes to the shadow file. lckpwdf() created an exclusive lock on the file, which causes any process trying to access the file wait until the lock is released. For reading the shadow file, this is highly unnecessary.
If you are modifying the file, call lckpwdf() once before your modifications, process with your modifications, and then call ulckpwdf(). Also, if you run into an exception, make sure to call ulckpwdf().