krb5/patches/krb5-1.10-kpasswd_tcp.patch

   1 Fall back to TCP on kdc-unresolvable/unreachable errors.  We still have
   2 to wait for UDP to fail, so this might not be ideal.  RT #5868.
   3
   4 --- krb5/src/lib/krb5/os/changepw.c
   5 +++ krb5/src/lib/krb5/os/changepw.c
   6 @@ -270,10 +270,22 @@ change_set_password(krb5_context context
   7                           &callback_info, &chpw_rep, ss2sa(&remote_addr),
   8                           &addrlen, NULL, NULL, NULL);
   9          if (code) {
  10 -            /*
  11 -             * Here we may want to switch to TCP on some errors.
  12 -             * right?
  13 -             */
  14 +            /* if we're not using a stream socket, and it's an error which
  15 +             * might reasonably be specific to a datagram "connection", try
  16 +             * again with a stream socket */
  17 +            if (!use_tcp) {
  18 +                switch (code) {
  19 +                case KRB5_KDC_UNREACH:
  20 +                case KRB5_REALM_CANT_RESOLVE:
  21 +                case KRB5KRB_ERR_RESPONSE_TOO_BIG:
  22 +                /* should we do this for more result codes than these? */
  23 +                    k5_free_serverlist (&sl);
  24 +                    use_tcp = 1;
  25 +                    continue;
  26 +                default:
  27 +                    break;
  28 +                }
  29 +            }
  30              break;
  31          }
  32