If PAM is properly configured, you can change your Kerberos password in two ways.
By using passwd, you can set both your UNIX and Kerberos passwords at the same time. However, you can change only one password with passwd and leave the other password untouched.
A primary use for kpasswd is to change a password for a Kerberos principal that is not a valid UNIX user. For example, jdoe/admin is a Kerberos principal but not an actual UNIX user, so you must use kpasswd to change the password.
After you change your password, the password must propagate through the network. Depending on the size of the Kerberos network, the time that is required for the propagation might range from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after you change your password, try the new password first. If the new password doesn't work, try again using the old password.
Kerberos policy defines the criteria for passwords. A policy can be set for each user or a default policy can apply. For information about policies, see Administering Kerberos Policies. For an example that lists the criteria that can be set for Kerberos passwords, see Example 5–9. Password character classes are lowercase, uppercase, numbers, punctuation, and all other characters.