pam_sm_chauthtok missing, and automatic pam-auth-update causing problems

When I install libpam-tacplus_1.3.7-1_amd64.deb, one of the package scripts seems to run "pam-auth-update tacplus", as the files /etc/pam.d/common-* are updated to include libpam-tacplus.

The problem is that common-password is modified, but it appears that the pam_sm_chauthtok symbol isn't present in the library. This causes the PAM password service to fail, and the following message appears in /var/log/auth.log

Aug 16 23:17:54 192-168-3-4 passwd[6070]: PAM unable to resolve symbol: pam_sm_chauthtok

Perhaps the module in the Ubuntu distro is being compiled without PAM_SM_PASSWORD defined?

As a side note, if the package install scripts automatically runs pam-auth-update tacplus, it makes it impossible to include libpam-tacplus in a distro. This is because configuration for libtacplus is added to the common-* files, but no TACACS+ server is configured. This causes all logins to fail with the following (in auth.log):

Aug 16 23:15:30 192-168-3-4 PAM-tacplus[6022]: TACACS+ service type not configured

We've tried to create an appliance that contains libpam-tacplus, but after installation, it's impossible to log in for the reason stated above. The only way to recover is to boot into single-user mode and unconfigure libpam-tacplus (or point it at a TACACS+ server).

I suppose we could work around this by running pam-auth-update -r tacplus, later in our appliance install process, but I would prefer if pam-auth-update were not run automatically on package install.

Thanks