krb5: New package.

[people/amarx/ipfire-3.x.git] / krb5 / patches / krb5-1.10-kpasswd_tcp.patch

diff --git a/krb5/patches/krb5-1.10-kpasswd_tcp.patch b/krb5/patches/krb5-1.10-kpasswd_tcp.patch
new file mode 100644 (file)
index 0000000..fd8da8e
--- /dev/null
+++ b/krb5/patches/krb5-1.10-kpasswd_tcp.patch
@@ -0,0 +1,32 @@
+Fall back to TCP on kdc-unresolvable/unreachable errors.  We still have
+to wait for UDP to fail, so this might not be ideal.  RT #5868.
+
+--- krb5/src/lib/krb5/os/changepw.c
++++ krb5/src/lib/krb5/os/changepw.c
+@@ -270,10 +270,22 @@ change_set_password(krb5_context context
+                          &callback_info, &chpw_rep, ss2sa(&remote_addr),
+                          &addrlen, NULL, NULL, NULL);
+         if (code) {
+-            /*
+-             * Here we may want to switch to TCP on some errors.
+-             * right?
+-             */
++            /* if we're not using a stream socket, and it's an error which
++             * might reasonably be specific to a datagram "connection", try
++             * again with a stream socket */
++            if (!use_tcp) {
++                switch (code) {
++                case KRB5_KDC_UNREACH:
++                case KRB5_REALM_CANT_RESOLVE:
++                case KRB5KRB_ERR_RESPONSE_TOO_BIG:
++                /* should we do this for more result codes than these? */
++                    k5_free_serverlist (&sl);
++                    use_tcp = 1;
++                    continue;
++                default:
++                    break;
++                }
++            }
+             break;
+         }
+