diff --git a/krb5-trunk-kpasswd_tcp.patch b/krb5-trunk-kpasswd_tcp.patch
new file mode 100644
index 0000000..931523e
--- /dev/null
+++ b/krb5-trunk-kpasswd_tcp.patch
@@ -0,0 +1,34 @@
+Fall back to TCP on kdc-unresolvable/unreachable errors.
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c	(revision 20199)
++++ src/lib/krb5/os/changepw.c	(working copy)
+@@ -251,11 +251,22 @@
+ 				   NULL,
+ 				   NULL
+ 		 ))) {
+-
+-	    /*
+-	     * Here we may want to switch to TCP on some errors.
+-	     * right?
+-	     */
++	    /* if we're not using a stream socket, and it's an error which
++	     * might reasonably be specific to a datagram "connection", try
++	     * again with a stream socket */
++	    if (!useTcp) {
++		switch (code) {
++		case KRB5_KDC_UNREACH:
++		case KRB5_REALM_CANT_RESOLVE:
++		case KRB5KRB_ERR_RESPONSE_TOO_BIG:
++		/* should we do this for more result codes than these? */
++		    krb5int_free_addrlist (&al);
++		    useTcp = 1;
++		    continue;
++		default:
++		    break;
++		}
++	    }
+ 	    break;
+ 	}
+