THANK YOU, Robert, Michael, Martin.
I did not see the suggestion to run: pwd_mkdb /etc/master.passwd
until today.
After doing that, everything works! So thank you. With the config.conf:
default:
localcipher = sha1
ypcipher = sha1
There is still some weirdness, side-effect, tho, because:
# diff -b spwd.db spwd.db.new (that was the one when the trouble started)
(no difference) !
So it would seem as if pwd_mkdb has some additional side effect(s) besides writing a new spwd.db ?
Also:
# ll /usr/lib/libkrb5* /etc
-r--r--r-- 1 root wheel 1128816 Feb 27 05:27 /usr/lib/libkrb5.a
lrwxr-xr-x 1 root wheel 15 Jan 16 08:28 /usr/lib/libkrb5.so@ -> libkrb5.so.28.0
lrwxr-xr-x 1 root wheel 15 Aug 4 2022 /usr/lib/libkrb5.so.27@ -> libkrb5.so.27.0
-r--r--r-- 1 root wheel 651248 Aug 4 2022 /usr/lib/libkrb5.so.27.0
lrwxr-xr-x 1 root wheel 15 Jan 16 08:28 /usr/lib/libkrb5.so.28@ -> libkrb5.so.28.0
-r--r--r-- 1 root wheel 654432 Jan 16 08:28 /usr/lib/libkrb5.so.28.0
-r--r--r-- 1 root wheel 1169598 Feb 27 05:27 /usr/lib/libkrb5_p.a
So it seems like sysupgrade did the right thing.
Except... when passwd.conf is:
default:
localcipher = argon2id
ypcipher = old
and I run
pwd_mkdb /etc/master.passwd
I get this error from passwd again:
Couldn't generate salt.
Unable to change auth token: Error in service module
Obv with the 'sha1' cipher, all seems ok.
Not sure if this is worth more effort?
Thank you,
Mike