pam_krb5 bug fix update

An updated pam_krb5 package that fixes various bugs is now available.

The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware
applications to use Kerberos to verify user identities by obtaining user
credentials at log in time.

This updated package addresses the following bugs:

* when logging in without an AFS instance, multiple attempts for AFS
service tickets could be unsuccessful. This patch includes a backported
"nullafs" option, which can be used to prevent the module looking for an
assumed instance of the form afs/cell@REALM, and to use afs@REALM
directly, instead. (BZ#231137)

* during user authentication, the pam_krb5 module would not reset the
PAM_AUTHTOK item if it had been set previously. If a user supplied an
incorrect password on the first attempt, and the correct password on
subsequent attempts, only the first, incorrect password would be seen by
modules called after pam_krb5. This update corrects this bug, and
authentication should now work as expected. (BZ#437179)

* when a user who is unknown to Kerberos attempted to change their
password, a "passwd: Authentication failure" error occurred. The correct
error message, "passwd: User not known to the underlying authentication
module" is now returned in this circumstance. (BZ#436968)

Users of pam_krb5 are advised to upgrade to this updated package, which
resolves these issues.

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

231137 - [PATCH]: use instance-less AFS service tickets
437179 - pam_krb5.so doesn't seem to set the password correctly for other PAM modules

afs, password-change, user-unknown