Fall back to the library default for whether or not to prompt for a password- change during authentication, if we weren't passed any options. RT#6681 diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c --- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte 2009-12-23 11:00:05.000000000 -0500 +++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:03:42.000000000 -0500 @@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex int tries; krb5_creds chpw_creds; krb5_get_init_creds_opt *chpw_opts = NULL; + krb5_gic_opt_ext *opte = NULL; krb5_data pw0, pw1; char banner[1024], pw0array[1024], pw1array[1024]; krb5_prompt prompt[2]; @@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex * to prompt. Prompting is only disabled if the option has been set * and the value has been set to false. */ - if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL); + if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) goto cleanup; /* ok, we have an expired password. Give the user a few chances @@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex &use_master, &as_reply); cleanup: + if (opte != options) + krb5_get_init_creds_opt_free(context, opte); krb5int_set_prompt_types(context, 0); /* if getting the password was successful, then check to see if the password is about to expire, and warn if so */