From a331242c9cf3908fd0c87536a4f13873ab984ecd Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Tue, 8 Jun 2021 16:23:04 -0700
Subject: README: improve troubleshooting section for login protector not in
 sync

Update https://github.com/google/fscrypt/issues/273
---
 README.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 5650d76..ae3a1f8 100644
--- a/README.md
+++ b/README.md
@@ -789,12 +789,14 @@ guidelines in `CONTRIBUTING.md`. We will try our best to help.
 
 #### I changed my login passphrase, now all my directories are inaccessible
 
-The PAM module `pam_fscrypt.so` should automatically detect changes to a user's
-login passphrase so that they can still access their encrypted directories.
-However, sometimes a user's login passphrase can become desynchronized from
-their login protector.  This can happen if their login passphrase is managed by
-an external system, if the PAM module is not installed, or if the PAM module is
-not properly configured.  See [Enabling the PAM
+Usually, the PAM module `pam_fscrypt.so` will automatically detect changes to a
+user's login passphrase and update the user's `fscrypt` login protector so that
+they retain access their login-passphrase protected directories.  However,
+sometimes a user's login passphrase can become desynchronized from their
+`fscrypt` login protector.  This can happen if `root` assigns the user a new
+passphrase without providing the old one, if the user's login passphrase is
+managed by an external system such as LDAP, if the PAM module is not installed,
+or if the PAM module is not properly configured.  See [Enabling the PAM
 module](#enabling-the-pam-module) for how to configure the PAM module.
 
 To fix a user's login protector, find the corresponding protector ID by running
-- 
cgit v1.2.3