Backport from ticket 7229.
--- krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
+++ krb5-1.10.2/src/lib/krb5/krb/vfy_increds.c
@@ -194,6 +194,13 @@ krb5_verify_init_creds(krb5_context cont
authcon = NULL;
}
+ /* Build an auth context that won't bother with replay checks -- it's
+ * not as if we're going to mount a replay attack on ourselves here. */
+ if (ret = krb5_auth_con_init(context, &authcon))
+ goto cleanup;
+ if (ret = krb5_auth_con_setflags(context, authcon, 0))
+ goto cleanup;
+
/* verify the ap_req */
if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,