Fall back to TCP on kdc-unresolvable/unreachable errors.  We still have

to wait for UDP to fail, so this might not be ideal.  RT #5868.

--- krb5/src/lib/krb5/os/changepw.c

+++ krb5/src/lib/krb5/os/changepw.c

@@ -270,10 +270,22 @@ change_set_password(krb5_context context

                          &callback_info, &chpw_rep, ss2sa(&remote_addr),

                          &addrlen, NULL, NULL, NULL);

         if (code) {

-            /*

-             * Here we may want to switch to TCP on some errors.

-             * right?

-             */

+            /* if we're not using a stream socket, and it's an error which

+             * might reasonably be specific to a datagram "connection", try

+             * again with a stream socket */

+            if (!use_tcp) {

+                switch (code) {

+                case KRB5_KDC_UNREACH:

+                case KRB5_REALM_CANT_RESOLVE:

+                case KRB5KRB_ERR_RESPONSE_TOO_BIG:

+                /* should we do this for more result codes than these? */

+                    k5_free_serverlist (&sl);

+                    use_tcp = 1;

+                    continue;

+                default:

+                    break;

+                }

+            }

             break;

         }