Description of problem:
When using a setup with both LDAP and Kerberos V in which both stores have the same user password the PAM setup seems to be wrong. I realize that its not optimal to keep a users password both in LDAP and Kerberos, ideally LDAP should only provide directory services and let Kerberos do all the authentication. Unfortunately there are still a lot of apps which do not support Kerberos and only support simple LDAP binds.

PAM gets setup with the following out of the box:
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok

This does not work, the password only gets changed in Kerberos (because of 'sufficient'). For some reason using required, optional or requisite on pam_ldap.so causes it to fail ? I haven't investegated this in depth but only with 'sufficient' does pam_ldap actually get to the 'Enter new password' line.

This setup seems to work:
password    required      pam_krb5.so use_authtok
password    sufficient    pam_ldap.so


Steps to Reproduce:
1. Install Fedora and indicate you want to use both LDAP and Kerberos for Network authentication.
  
Actual results:
Logging-in, NSS, etc. all work fine, however password changing does not work correctly. Password only gets changed in one store. The first one listed in PAM.


Expected results:
Password gets changed in both LDAP and Kerberos.

Additional info: