Delta from 1.12 to 1.13 from Linux-PAM pam_unix_passwd.c
made to work with our changes.  Not sure this is actually relevant, as
other changes seem to have been made upstream.

Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c
===================================================================
--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c	(revision 295)
+++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c	(working copy)
@@ -553,6 +553,15 @@
 			retval = PAM_AUTHTOK_ERR;
 			goto done;
 		}
+
+#ifdef USE_LCKPWDF
+		retval = lckpwdf();
+		if (retval != 0) {
+			retval = PAM_AUTHTOK_LOCK_BUSY;
+			goto done;
+		}
+#endif /* def USE_LCKPWDF */
+
 		if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) {
 			retval = _update_shadow(pamh, forwho, towhat);
 			if (retval == PAM_SUCCESS)
@@ -569,10 +578,6 @@
 		int status;
 		int err = 0;
 
-		/* Unlock passwd file to avoid deadlock */
-#ifdef USE_LCKPWDF
-		ulckpwdf();
-#endif
 		/* Make RPC call to NIS server */
 		if ((master = getNISserver(pamh)) == NULL)
 			return PAM_TRY_AGAIN;
@@ -770,7 +775,7 @@
 				int argc, const char **argv)
 {
 	unsigned int ctrl, lctrl;
-	int retval, i;
+	int retval;
 	int remember = -1;
 
 	/* <DO NOT free() THESE> */
@@ -1007,30 +1012,11 @@
 			pass_new = pass_old = NULL;	/* tidy up */
 			return retval;
 		}
-#ifdef USE_LCKPWDF
-		/* These values for the number of attempts and the sleep time
-		   are, of course, completely arbitrary.
-		   My reading of the PAM docs is that, once pam_chauthtok() has been
-		   called with PAM_UPDATE_AUTHTOK, we are obliged to take any
-		   reasonable steps to make sure the token is updated; so retrying
-		   for 1/10 sec. isn't overdoing it. */
-		i=0;
-		while((retval = lckpwdf()) != 0 && i < 100) {
-			usleep(1000);
-			i++;
-		}
-		if(retval != 0) {
-			return PAM_AUTHTOK_LOCK_BUSY;
-		}
-#endif
 
 		if (pass_old) {
 			retval = _unix_verify_password(pamh, user, pass_old, ctrl);
 			if (retval != PAM_SUCCESS) {
 				_log_err(LOG_NOTICE, pamh, "user password changed by another process");
-#ifdef USE_LCKPWDF
-				ulckpwdf();
-#endif
 				return retval;
 			}
 		}
@@ -1038,9 +1024,6 @@
 		retval = _unix_verify_shadow(pamh, user, ctrl);
 		if (retval != PAM_SUCCESS) {
 			_log_err(LOG_NOTICE, pamh, "user not authenticated 2");
-#ifdef USE_LCKPWDF
-			ulckpwdf();
-#endif
 			return retval;
 		}
 
@@ -1049,9 +1032,6 @@
 			_log_err(LOG_NOTICE, pamh,
 			         "new password not acceptable 2");
 			pass_new = pass_old = NULL;	/* tidy up */
-#ifdef USE_LCKPWDF
-			ulckpwdf();
-#endif
 			return retval;
 		}
 
@@ -1093,9 +1073,6 @@
 					_log_err(LOG_CRIT, pamh,
 					         "out of memory for password");
 					pass_new = pass_old = NULL;	/* tidy up */
-#ifdef USE_LCKPWDF
-					ulckpwdf();
-#endif
 					return PAM_BUF_ERR;
 				}
 				/* copy first 8 bytes of password */