commit f1783431cb8f146095067f5e2531e9155a8787bb
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Date:   Wed Apr 18 14:01:39 2012 -0400

    Turn off replay cache in krb5_verify_init_creds()
    
    The library isn't attempting a replay attack on itself, so any detected
    replays are only going to be false-positives.
    
    ticket: 7229 (new)

diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 14acb0a..e88a37f 100644
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -149,6 +149,15 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server,
         authcon = NULL;
     }
 
+    /* Build an auth context that won't bother with replay checks -- it's
+     * not as if we're going to mount a replay attack on ourselves here. */
+    ret = krb5_auth_con_init(context, &authcon);
+    if (ret)
+        goto cleanup;
+    ret = krb5_auth_con_setflags(context, authcon, 0);
+    if (ret)
+        goto cleanup;
+
     /* Verify the ap_req. */
     ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL);
     if (ret)