I'm using pam to authenticate users against my krb5 realm. Here is the
problem scenario:

User test2 attempts to login and their password is not expired so
dovecot says: 0 login test2 myfavoritepassword 0 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
SORT THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH
ESORT SEARCHRES WITHIN CONTEXT=SEARCH] Logged in 1 logout

• BYE Logging out 1 OK Logout completed.

User test1 attempts to login, but their password is expired. So
dovecot says: 0 login test1 myfavoritepassword 0 NO d expired

User test2 attempts to login and their password is not expired. But
dovecot still says: 0 login test2 myfavoritepassword 0 NO d expired

If I kill the pid with name "dovecot-auth -w", user test2 can login
just fine unless I login with the user test1 before trying user test2.
So it seems like something is getting cached. I'm running imap-login
out of inetd, in case that matters.

In my dovecot.conf, I don't have any caching/authentication variables
activated. I don't see anything obvious to type in passdb pam{ } to
type.

For debug, I've enable pam for telnet and tested that without error.
Also, the logs show that test2

This is dovecot revision 9062:694714d59cd9 . Looking at the logs, I
see user test2 authenticate correctly in all instances.

thanks, Jonathan