Description of problem: When the libkrb5 password-change routines generate a set-password or change-password request, they do so in a way that the sequence number included in password-change requests destined for any server after the first are incorrect. Version-Release number of selected component (if applicable): 1.6.1 How reproducible: Always Steps to Reproduce: 1. Set multiple 'kpasswd_server' values for your realm in krb5.conf, with one which is known-good listed second (or third, or in any position except the first). 2. Run 'kpasswd' to attempt to change your password. Actual results: You'll get a decryption error from the server. Expected results: Not the error. Additional information: After we solve the client-doesn't-try-to-change-passwords-over-TCP problem, we hit this when the client attempts to connect to the password-change service over TCP. My Windows Server 2003 box seems to ignore this, but it crops up with an MIT server (heck, our own corporate server) and the FreeIPA kpasswd server.
Created attachment 290971 [details] candidate patch which fixes this for me
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0381.html