X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=krb5%2Fpatches%2Fkrb5-1.10-kpasswd_tcp.patch;fp=krb5%2Fpatches%2Fkrb5-1.10-kpasswd_tcp.patch;h=fd8da8e58550a0aa31d60051664df79fa8c32930;hb=6cf77d0523cec8229ba22fd925014010c017e0af;hp=0000000000000000000000000000000000000000;hpb=092b90ae70ba2734427536e464fd5ccc777d04ea;p=people%2Famarx%2Fipfire-3.x.git

diff --git a/krb5/patches/krb5-1.10-kpasswd_tcp.patch b/krb5/patches/krb5-1.10-kpasswd_tcp.patch
new file mode 100644
index 000000000..fd8da8e58
--- /dev/null
+++ b/krb5/patches/krb5-1.10-kpasswd_tcp.patch
@@ -0,0 +1,32 @@
+Fall back to TCP on kdc-unresolvable/unreachable errors.  We still have
+to wait for UDP to fail, so this might not be ideal.  RT #5868.
+
+--- krb5/src/lib/krb5/os/changepw.c
++++ krb5/src/lib/krb5/os/changepw.c
+@@ -270,10 +270,22 @@ change_set_password(krb5_context context
+                          &callback_info, &chpw_rep, ss2sa(&remote_addr),
+                          &addrlen, NULL, NULL, NULL);
+         if (code) {
+-            /*
+-             * Here we may want to switch to TCP on some errors.
+-             * right?
+-             */
++            /* if we're not using a stream socket, and it's an error which
++             * might reasonably be specific to a datagram "connection", try
++             * again with a stream socket */
++            if (!use_tcp) {
++                switch (code) {
++                case KRB5_KDC_UNREACH:
++                case KRB5_REALM_CANT_RESOLVE:
++                case KRB5KRB_ERR_RESPONSE_TOO_BIG:
++                /* should we do this for more result codes than these? */
++                    k5_free_serverlist (&sl);
++                    use_tcp = 1;
++                    continue;
++                default:
++                    break;
++                }
++            }
+             break;
+         }
+