Public Submitter via RT wrote: > Btw: If this call with static SOCK_STREAM is correct, why is call > three lines above > > code = krb5int_locate_server (context, realm, addrlist, > locate_service_kpasswd, sockType, 0); > > with sockType correct? This is correct because kpasswd is a service that exists for both UDP and TCP. kadmind is only TCP. Therefore, when the search occurs, you want to check krb5.conf first and if there is no matching entry perform a DNS SRV record search for the service type that you are looking for. For kpasswd you want to search for _kpasswd._udp.REALM or _kpasswd._tcp.REALM depending on the type of connection the caller wants to make. There search for kadmin is there as a backup in case the kpasswd entries were not created. There will only ever be a _kadmin._tcp.REALM record so we must always search for SOCK_STREAM. That is why fixing up the ai records after the lookup is the correct fix. Since you have verified that ai_socktype is being set to the requested value, I do not understand how src/krb5/lib/krb5/os/sendto_kdc.c setup_connection() and start_connection() can be creating the wrong type of connection. Perhaps you can debug that further.