Every KRB-PRIV message we generate to include as part of a password change
request we create (after the first one) will include sequence numbers which
look "wrong" to the recipient, because previously generating other KRB-PRIV
messages will mess with the counters in the auth_context.  Because the
current code attempts to reuse auth_context structures (and changing that
would be more invasive), we'll just save the sequence number values as they
are after we build the AP-REQ, and restore them before generating requests.
RT#5867.

Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c	(revision 20195)
+++ src/lib/krb5/os/changepw.c	(working copy)
@@ -34,6 +34,7 @@
 #include "k5-int.h"
 #include "os-proto.h"
 #include "cm.h"
+#include "../krb/auth_con.h"
 
 #include <stdio.h>
 #include <errno.h>
@@ -48,6 +49,7 @@
     krb5_principal 	set_password_for;
     char 		*newpw;
     krb5_data 		ap_req;
+    krb5_ui_4		remote_seq_num, local_seq_num;
 };
 
 
@@ -159,6 +161,9 @@
 				       &local_kaddr, NULL))) 
 	goto cleanup;
 
+    ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
+    ctx->auth_context->local_seq_number = ctx->local_seq_num;
+
     if (ctx->set_password_for)
 	code = krb5int_mk_setpw_req(ctx->context, 
 				    ctx->auth_context, 
@@ -225,6 +230,9 @@
 				     &callback_ctx.ap_req)))
 	goto cleanup;
 
+    callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
+    callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
+
     do {
 	if ((code = krb5_locate_kpasswd(callback_ctx.context,
 					krb5_princ_realm(callback_ctx.context,