Trouble syncing passwords

[Todd Pytel]

Hi all,

I've got my login authentication working just fine, but am having some
trouble getting password changes to sync up properly. Accounts may be
local (only) or network (passwords stored in both LDAP and Kerberos,
for reasons I won't go into). The LDAP and Kerberos configurations are
fine as far as access control and functionality are concerned - I just
can't figure out the right way to configure the PAM stack to get
password changing synced up properly.

I've been trying variations on:

password   sufficient   pam_unix.so md5 shadow
password   required     pam_krb5.so try_first_pass 
password   required     pam_ldap.so try_first_pass use_authtok

I'm pretty sure the issue is that I don't have the try_first_pass's and 
use_authtok's in the right spots. I don't really understand exactly how
those work in password lines - do they apply to the first (old/expired)
password or the new password or both? Do I want the krb5 and ldap parts
taking authtok's from the unix part, given that a local user would not
have a network password?

Anyway, I've tried a bunch of different variations on the above and
gotten a variety of results, none completely successful. In the
particular example above, I'll log in (with a pw marked expired in
shadow via LDAP), get the first "Password:" prompt for the old pw, enter
it, and then get logged in with a message that the LDAP pw has been
changed, even though I never entered a new pw at all. Obviously, I'm
missing out on some kind of fundamental understanding, because I don't
understand how that's possible. 

Any assistance/example is greatly appreciated.

-- 
Todd Pytel