diff --git a/krb5-trunk-kpasswd_ipv6.patch b/krb5-trunk-kpasswd_ipv6.patch
new file mode 100644
index 0000000..4923142
--- /dev/null
+++ b/krb5-trunk-kpasswd_ipv6.patch
@@ -0,0 +1,75 @@
+Get the client libraries to correctly attempt password changes when using
+IPv6.  Sumit Bose, RT#6661
+
+Index: src/lib/krb5/os/changepw.c
+===================================================================
+--- src/lib/krb5/os/changepw.c	(revision 23766)
++++ src/lib/krb5/os/changepw.c	(revision 23767)
+@@ -65,20 +65,23 @@
+     int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM);
+ 
+     code = krb5int_locate_server (context, realm, addrlist,
+-                                  locate_service_kpasswd, sockType, AF_INET);
++                                  locate_service_kpasswd, sockType, AF_UNSPEC);
+ 
+     if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
+         code = krb5int_locate_server (context, realm, addrlist,
+                                       locate_service_kadmin, SOCK_STREAM,
+-                                      AF_INET);
++                                      AF_UNSPEC);
+         if (!code) {
+             /* Success with admin_server but now we need to change the
+                port number to use DEFAULT_KPASSWD_PORT and the socktype.  */
+             size_t i;
+             for (i=0; i<addrlist->naddrs; i++) {
+                 struct addrinfo *a = addrlist->addrs[i].ai;
++                krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT);
+                 if (a->ai_family == AF_INET)
+-                    sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT);
++                    sa2sin (a->ai_addr)->sin_port = kpasswd_port;
++                if (a->ai_family == AF_INET6)
++                    sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port;
+                 if (sockType != SOCK_STREAM)
+                     a->ai_socktype = sockType;
+             }
+@@ -131,10 +134,16 @@
+     /* some brain-dead OS's don't return useful information from
+      * the getsockname call.  Namely, windows and solaris.  */
+ 
+-    if (ss2sin(&local_addr)->sin_addr.s_addr != 0) {
++    if (local_addr.ss_family == AF_INET &&
++        ss2sin(&local_addr)->sin_addr.s_addr != 0) {
+         local_kaddr.addrtype = ADDRTYPE_INET;
+         local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr);
+         local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr;
++    } else if (local_addr.ss_family == AF_INET6 &&
++               ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) {
++        local_kaddr.addrtype = ADDRTYPE_INET6;
++        local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
++        local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
+     } else {
+         krb5_address **addrs;
+ 
+@@ -278,9 +287,19 @@
+             break;
+         }
+ 
+-        remote_kaddr.addrtype = ADDRTYPE_INET;
+-        remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+-        remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
++        if (remote_addr.ss_family == AF_INET) {
++            remote_kaddr.addrtype = ADDRTYPE_INET;
++            remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
++            remote_kaddr.contents =
++                (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
++        } else if (remote_addr.ss_family == AF_INET6) {
++            remote_kaddr.addrtype = ADDRTYPE_INET6;
++            remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
++            remote_kaddr.contents =
++                (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
++        } else {
++            break;
++        }
+ 
+         if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
+                                            callback_ctx.auth_context,
diff --git a/krb5.spec b/krb5.spec
index a2d4e0d..d004fa8 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -93,6 +93,7 @@ Patch93: krb5-1.7-create_on_load.patch
 Patch95: krb5-1.8-opte.patch
 Patch96: krb5-1.8-exp_warn.patch
 Patch98: krb5-1.8-kpasswd_ccache.patch
+Patch99: krb5-trunk-kpasswd_ipv6.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -294,6 +295,7 @@ popd
 %patch95 -p1 -b .opte
 %patch96 -p1 -b .exp_warn
 %patch98 -p1 -b .kpasswd-ccache
+%patch99 -p0 -b .kpasswd-ipv6
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -867,6 +869,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Mar  8 2010 Nalin Dahyabhai <nalin@redhat.com>
+- pull up patch to get the client libraries to correctly perform password
+  changes over IPv6 (Sumit Bose, RT#6661)
+
 * Fri Mar  5 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.8-1
 - update to 1.8
   - temporarily bundling the krb5-appl package (split upstream as of 1.8)