diff --git a/examples/passwd-wrapper.scm b/examples/passwd-wrapper.scm
index f0ac149..bc3c406 100755
--- a/examples/passwd-wrapper.scm
+++ b/examples/passwd-wrapper.scm
@@ -97,7 +97,7 @@ Please choose a password with at least 2 character classes.")
     (if (not systype)
 	(error "Cannot determine system type ($SYSTYPE not set)."))
     (cond
-     ((string=? systype "sun4x_58") 'sun)
+     ((string=? systype "sun4x_59") 'solaris)
      ((string=? systype "i386_fbsd52") 'freebsd)
      ((string=? systype "i386_linux24") 'linux)
      (else (raise-unsupported-machine)))))
@@ -209,13 +209,24 @@ Please choose a password with at least 2 character classes.")
 		 "Verify failure"
 		 "Success"))
     ((solaris) (define-passwd "/afs/wsi/sun4x_58/krb5-1.3.1/bin/kpasswd"
-		 ;; TODO
-		 ))
+		 (rx (: "Password for " (+ (- any #\:)) ": "))
+		 "Enter new password: : "
+		 "Enter it again: : "
+		 "Password incorrect while getting initial ticket"
+		 "Password mismatch while reading password"
+		 "Password changed."))
 ;;    ((linux) (define-passwd "/afs/wsi/i386_rh90/heimdal-0.6/bin/kpasswd"
 ;;	       ;; TODO
 ;;	       ))
     ))
 
+(define kerbv-programs
+  (case system-type
+    ((freebsd) (cons "/afs/wsi/i386_fbsd52/heimdal-1.6/bin/klist"
+		     "/afs/wsi/i386_fbsd52/heimdal-1.6/bin/kinit"))
+    ((solaris) (cons "/afs/wsi/sun4x_58/krb5-1.3.1/bin/klist"
+		     "/afs/wsi/sun4x_58/krb5-1.3.1/bin/kinit"))))
+
 (define (verify-kerbv-password password)
   (verify-password kerberos-v password))
 
@@ -223,13 +234,20 @@ Please choose a password with at least 2 character classes.")
   (change-password kerberos-v old-pw new-pw))
 
 (define (valid-kerbv-ticket?)
-  ;; neither "No ticket file" nor ">>>Expired<<<" in klist output
-  #f ;; TODO
-  )
+  (let* ((klist (car kerbv-programs))
+	 (output (run/string (,klist))))
+    (not (string-match (rx (| "No ticket file" ">>>Expired<<<")) output))))
 
 (define (get-kerbv-ticket password)
-  ;; TODO look at status result
-  (run (kinit)))
+  ;; TODO look at status result?
+  (let ((kinit (cdr kerbv-programs)))
+    (let ((res (chat (spawn (,kinit))
+		     (chat-timeout 3)
+		     (look-for "Password") (sleep 0.1)
+		     (send password)
+		     (look-for "Password incorrect")
+		     #f)))
+      res)))
 
 (define (ensure-kerbv-ticket password)
   (or (valid-kerbv-ticket?)
@@ -250,7 +268,7 @@ Please choose a password with at least 2 character classes.")
 		 "Password changed."))
     ((solaris) (define-passwd "/afs/wsi/sun4x_58/openafs-1.2.11/bin/kpasswd"
 		 "Old password: "
-		 "New password (RETURN to abort): "
+		 (rx "New password (RETURN to abort): ")
 		 "Retype new password: "
 		 "kpasswd: Incorrect old password."
 		 "Mismatch"
@@ -269,18 +287,40 @@ Please choose a password with at least 2 character classes.")
   (verify-yp-password pw))
 
 (define (change-all-passwords old-pw new-pw)
-  ;; TODO: maybe undo password changes if next changes fail - is
-  ;; difficult because Kerberos passwords need some minutes to become
-  ;; effective
-  (and (change-yp-password old-pw new-pw)
-       (begin
-	 (display "NIS password changed successfully.\n")
-	 ;; TODO: make sure we have a ticket
-	 (and (change-kerbv-password old-pw new-pw)
-	      (begin
-		(display "Kerberos V password changed successfully.\n")
-		(and (change-afs-password old-pw new-pw)
-		     (display "AFS password changed successfully.\n")))))))
+  (if (change-yp-password old-pw new-pw)
+      (begin
+	(display "NIS password changed successfully.\n")
+	;; TODO: make sure we have a ticket
+	(if (change-kerbv-password old-pw new-pw)
+	    (begin
+	      (display "Kerberos V password changed successfully.\n")
+	      (if (change-afs-password old-pw new-pw)
+		  (display "AFS password changed successfully.\n")
+		  (begin
+		    (display "AFS password could not be changed. Trying to restore old NIS and Kerberos V passwords.\n")
+		    (if (change-yp-password new-pw old-pw)
+			(begin
+			  (display "Old NIS password restored.\n")
+			  ;; because the Kerberos password needs some
+			  ;; minutes to become effective, we also try
+			  ;; it with the old password.
+			  (if (or (change-kerbv-password old-pw old-pw)
+				  (change-kerbv-password new-pw old-pw))
+			      (display "Old Kerberos V password restored.\n")
+			      (begin
+				(display "Old Kerberos V password could not be restored.\n")
+				#f)))
+			(begin
+			  (display "Old NIS password could not be restored.\n")
+			  #f)))))
+	    (begin
+	      (display "Kerberos V password could not be changed. Trying to restore old NIS password.\n")
+	      (if (change-yp-password new-pw old-pw)
+		  (display "Old NIS password restored.\n")
+		  (begin
+		    (display "Old NIS password could not be restored.\n")
+		    #f)))))
+      (display "NIS password could not be changed. No passwords changed.\n")))
 
 (define (ask/check-old-password)
   (let ((old-pw-prompt "Old password: "))
@@ -332,9 +372,11 @@ Please choose a password with at least 2 character classes.")
 	((freebsd solaris)
 	 (let ((old-pw (ask/check-old-password))
 	       (new-pw (ask-new-password)))
-	   (if (change-all-passwords old-pw new-pw)
-	       (display "Password changed.\n")
-	       (display "Password could not be changed.\n"))))
+	   (if (not (ensure-kerbv-ticket old-pw))
+	       (display "Cannot get a Kerberos-V ticket, required to change the Kerberos-V password. Use a different machine, or contact your administrator.")
+	       (if (change-all-passwords old-pw new-pw)
+		   (display "Passwords changed.\n")
+		   (display "Warning: Your passwords are not consistent anymore. Contact your system administrator.\n")))))
 	(else
 	 (raise-unsupported-machine)))
       (display-usage)))