Patch from Philippe Troin    <phil@fifi.org>

Originally this included a bunch of changes to locking, but the more
recent code pulled from Linux_pam CVS seems to fix that issue.

Index: pam.deb/modules/pam_unix/pam_unix_passwd.c
===================================================================
--- pam.deb.orig/modules/pam_unix/pam_unix_passwd.c
+++ pam.deb/modules/pam_unix/pam_unix_passwd.c
@@ -577,7 +577,7 @@
 
 		if (_unix_blankpasswd(pamh, ctrl, user)) {
 			return PAM_SUCCESS;
-		} else if (off(UNIX__IAMROOT, ctrl)) {
+		} else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) {
 			/* instruct user what is happening */
 			if (asprintf(&Announce, _("Changing password for %s."),
 				user) < 0) {
@@ -590,7 +590,9 @@
 			set(UNIX__OLD_PASSWD, lctrl);
 			retval = _unix_read_password(pamh, lctrl
 						     ,Announce
-					     ,_("(current) UNIX password: ")
+					     ,(on(UNIX__IAMROOT, ctrl)
+			                       ? _("NIS server root password: ")
+			                       : _("(current) UNIX password: "))
 						     ,NULL
 						     ,_UNIX_OLD_AUTHTOK
 					     ,&pass_old);
@@ -601,9 +603,12 @@
 				    "password - (old) token not obtained");
 				return retval;
 			}
-			/* verify that this is the password for this user */
+			/* verify that this is the password for this user
+			 * if we're not using NIS */
 
-			retval = _unix_verify_password(pamh, user, pass_old, ctrl);
+			if (off(UNIX_NIS, ctrl)) {
+				retval = _unix_verify_password(pamh, user, pass_old, ctrl);
+			}
 		} else {
 			D(("process run by root so do nothing this time around"));
 			pass_old = NULL;