Description of problem:
When using a setup with both LDAP and Kerberos V in which both stores have the same user password the PAM setup seems to be wrong. I realize that its not optimal to keep a users password both in LDAP and Kerberos, ideally LDAP should only provide directory services and let Kerberos do all the authentication. Unfortunately there are still a lot of apps which do not support Kerberos and only support simple LDAP binds.
PAM gets setup with the following out of the box:
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
This does not work, the password only gets changed in Kerberos (because of 'sufficient'). For some reason using required, optional or requisite on pam_ldap.so causes it to fail ? I haven't investegated this in depth but only with 'sufficient' does pam_ldap actually get to the 'Enter new password' line.
This setup seems to work:
password required pam_krb5.so use_authtok
password sufficient pam_ldap.so
Steps to Reproduce:
1. Install Fedora and indicate you want to use both LDAP and Kerberos for Network authentication.
Logging-in, NSS, etc. all work fine, however password changing does not work correctly. Password only gets changed in one store. The first one listed in PAM.
Password gets changed in both LDAP and Kerberos.
Unfortunately your setup is not quite common. In other sites where some users use krb5 and other users use ldap auth your setup would not work. You have to configure system-auth and password-auth files manually.