commit 51c14a1f30cdfcfff8815f02e72c2ee841b16120
Author: Greg Hudson <ghudson@mit.edu>
Date:   Sun Feb 17 12:23:30 2013 -0500

    Allow multi-hop SAM-2 exchanges
    
    Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
    multiple hops by sending repeated preauth-required errors with
    different challenges (which is not the way multi-hop exchanges are
    described in RFC 6113, but it can still work).  This stopped working
    when SAM-2 was converted to a built-in module because of the use_count
    field.  Disable the use count for SAM-2 specifically.

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 23f00f3..4e235bd 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -590,7 +590,8 @@ run_preauth_plugins(krb5_context kcontext,
                 TRACE_PREAUTH_SKIP(kcontext, module->name, module->pa_type);
                 continue;
             }
-            module->use_count++;
+            if (module->pa_type != KRB5_PADATA_SAM_CHALLENGE_2)
+                module->use_count++;
         }
         /* run the module's callback function */
         out_pa_data = NULL;