One thing I have stumbled upon in the past: When changing passwords it might be necessary to delete the key from a running factotum on the server. Then one may need to use ipso to update the secstore as well. When changing the host owner's key you also need to auth/wrkey the changes back to nvram.
Changing passwords in Plan9
written by Christian Kellermann on 2007-10-31