Comment 1 for bug 302026

Confirming...
Once likewise-open is installed (whether a domain is joined or not), running "passwd" to change a local password fails: it never prompts for a new password. (Changing a domain password works.)

It also always returns "passwd: password updated successfully"

I suppose there is something wrong in the PAM stack:
password [success=2 default=ignore] pam_lwidentity.so
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so

use_authtok forces pam_unix.so use the password entered for pam_lwidentity.so... but if the user is not in the domain there is no such token. There is little to gain in reusing passwords between pam_lwidentity.so and pam_unix.so, since they aren't targeting the same users...

As a dirty workaround "use_authtok" can be removed from /etc/pam.d/common-password:
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
(that change will be overridden next time pam-auth-update is run)