-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Kerberos backend would previously try only the first server and if it was unreachable, it immediatelly went offline.
This patch was rebased on top of Sumit's tevent_req rewrite of krb_auth.c on the sssd-1-2 branch.
It also handles the case where the child times out and removes the special-casing of SSS_PAM_CHAUTHTOK in krb5_resolve_kdc_done(). The special casing didn't in fact have any effect as when using KDC for password changes we don't distinguish between the kdc and kpasswd service (they use the same "port" in terms of failover).