From 0ea98a282823253ed36a3768ffda2a1e0599add7 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@fedoraproject.org>
Date: Jan 23 2008 19:58:14 +0000
Subject: - backport fix from 1.6.3 to get back traditional

    prompt-for-password-change- on-expired-password behavior back in kinit
    (and other users of krb5_get_init_creds_opt_alloc()) (#429918)

---

diff --git a/krb5-1.6.1-gic_opt_chg_pwd_prmpt.patch b/krb5-1.6.1-gic_opt_chg_pwd_prmpt.patch
new file mode 100644
index 0000000..f71f798
--- /dev/null
+++ b/krb5-1.6.1-gic_opt_chg_pwd_prmpt.patch
@@ -0,0 +1,31 @@
+Backport from 1.6.3: apps which use the new dynamic get_init_creds_opt
+structure don't get the same defaults as apps which use the old ones.
+--- krb5-1.6.1/src/lib/krb5/krb/gic_opt.c	2007-02-05 18:45:17.000000000 -0500
++++ krb5-1.6.3/src/lib/krb5/krb/gic_opt.c	2007-10-01 22:42:02.000000000 -0400
+@@ -1,9 +1,17 @@
+ #include "k5-int.h"
++#include "int-proto.h"
++
++static void
++init_common(krb5_get_init_creds_opt *opt)
++{
++    opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
++}
+ 
+ void KRB5_CALLCONV
+ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
+ {
+-   opt->flags = KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
++    opt->flags = 0;
++    init_common(opt);
+ }
+ 
+ void KRB5_CALLCONV
+@@ -173,6 +181,7 @@
+ 	return ENOMEM;
+ 
+     *opt = (krb5_get_init_creds_opt *) opte;
++    init_common(*opt);
+     return 0;
+ }
+ 
diff --git a/krb5.spec b/krb5.spec
index ecdf20f..9d929c2 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -14,7 +14,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.2
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -94,6 +94,7 @@ Patch63: krb5-1.6.1-selinux-label.patch
 Patch64: krb5-ok-as-delegate.patch
 Patch67: krb5-trunk-server_delegation.patch
 Patch68: krb5-trunk-spnego_delegation.patch
+Patch69: krb5-1.6.1-gic_opt_chg_pwd_prmpt.patch
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -210,6 +211,11 @@ installed on systems which are meant provide these services.
 %endif
 
 %changelog
+* Wed Jan 23 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-12
+- backport fix from 1.6.3 to get back traditional prompt-for-password-change-
+  on-expired-password behavior back in kinit (and other users of
+  krb5_get_init_creds_opt_alloc()) (#429918)
+
 * Fri Nov 16 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-11
 - backport a fix to make handling of returned flags during spnego credential
   delegation more forgiving of apps which don't care about flags but still
@@ -1256,6 +1262,7 @@ popd
 #%patch64 -p0 -b .ok-as-delegate
 %patch67 -p0 -b .server-delegation
 %patch68 -p0 -b .spnego_delegation
+%patch69 -p1 -b .gic_opt_chg_pwd_prmpt
 cp src/krb524/README README.krb524
 gzip doc/*.ps