Some newer OS's (Fedora 9) use SHA-512 by default. DA is often not compiled with support for SHA, so once a password is changed, DA calls the “passwd” program, which would set the new password into SHA-512. DA would then not be able to use it, and you wouldn't be able to login.
The solution is to edit:
/etc/pam.d/system-auth-ac
Find the line:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
change it to:
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
On debian systems, edit:
/etc/login.defs
and change:
#MD5_CRYPT_ENAB no
to
MD5_CRYPT_ENAB yes
which tells the chpasswd command, called by DA, to use the MD5 instead of SHA-512.