diff --git a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
index 8a2e7a9..a729801 100644
--- a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+++ b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
@@ -2,7 +2,7 @@ Index: src/auth.c
 ===================================================================
 --- src/auth.c.orig
 +++ src/auth.c
-@@ -481,9 +481,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+@@ -480,9 +480,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  		return pam_sm_open_session(pamh, flags, argc, argv);
  	}
  	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
@@ -35,8 +35,8 @@ Index: src/sly.c
 +	retuid = setresuid(getuid(), save_euid, getuid());
 +	retgid = setresgid(getgid(), save_egid, getgid());
 +	
-+	debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid());
-+	debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid());
++	/* debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */
++	/* debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid()); */
 +	
 +	return (retuid == -1 || retgid == -1)?-1:0;
 +}
@@ -44,7 +44,7 @@ Index: src/sly.c
  int
  _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags,
  			    int argc, PAM_KRB5_MAYBE_CONST char **argv)
-@@ -163,6 +178,20 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -163,6 +178,23 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	gid_t gid;
  	char *v5ccname, *v5filename, *v4tktfile;
  
@@ -54,18 +54,21 @@ Index: src/sly.c
 +
 +	if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3)
 +	{
++		/* debug("current privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */
++		/* debug("current privileges: GID = %u, EGID = %u\n", getgid(), getegid()); *(
++
 +		/* drop privileges temporarily; restore them on every return from this function */
 +		setresuid(getuid(), getuid(), geteuid());
 +		setresgid(getgid(), getgid(), getegid());
 +		
-+		debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid());
-+		debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid());
++		/* debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid()); */
++		/* debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid()); */
 +	}
 +
  	/* Inexpensive checks. */
  	switch (_pam_krb5_sly_looks_unsafe()) {
  	case 0:
-@@ -170,18 +199,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -170,18 +202,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		break;
  	case 1:
  		warn("won't refresh credentials while running under sudo");
@@ -88,7 +91,7 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  		break;
  	}
-@@ -189,6 +222,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -189,6 +225,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	/* Initialize Kerberos. */
  	if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
  		warn("error initializing Kerberos");
@@ -96,7 +99,7 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  	}
  
-@@ -197,6 +231,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -197,6 +234,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	if (i != PAM_SUCCESS) {
  		warn("could not identify user name");
  		krb5_free_context(ctx);
@@ -104,7 +107,7 @@ Index: src/sly.c
  		return i;
  	}
  
-@@ -205,6 +240,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -205,6 +243,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	if (options == NULL) {
  		warn("error parsing options (shouldn't happen)");
  		krb5_free_context(ctx);
@@ -112,7 +115,7 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  	}
  	if (options->debug) {
-@@ -226,6 +262,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -226,6 +265,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		}
  		_pam_krb5_options_free(pamh, ctx, options);
  		krb5_free_context(ctx);
@@ -120,7 +123,7 @@ Index: src/sly.c
  		return retval;
  	}
  
-@@ -238,6 +275,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -238,6 +278,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		_pam_krb5_user_info_free(ctx, userinfo);
  		_pam_krb5_options_free(pamh, ctx, options);
  		krb5_free_context(ctx);
@@ -128,7 +131,7 @@ Index: src/sly.c
  		return PAM_IGNORE;
  	}
  
-@@ -249,6 +287,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -249,6 +290,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		_pam_krb5_user_info_free(ctx, userinfo);
  		_pam_krb5_options_free(pamh, ctx, options);
  		krb5_free_context(ctx);
@@ -136,7 +139,7 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  	}
  
-@@ -360,5 +399,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -360,5 +402,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	_pam_krb5_options_free(pamh, ctx, options);
  	krb5_free_context(ctx);
  
diff --git a/pam_krb5-2.2.20-1-debug-log-choice.dif b/pam_krb5-2.2.20-1-debug-log-choice.dif
deleted file mode 100644
index ba0bc06..0000000
--- a/pam_krb5-2.2.20-1-debug-log-choice.dif
+++ /dev/null
@@ -1,21 +0,0 @@
-Index: src/options.c
-===================================================================
---- src/options.c.orig
-+++ src/options.c
-@@ -40,6 +40,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <syslog.h>
- 
- #ifdef HAVE_SECURITY_PAM_APPL_H
- #include <security/pam_appl.h>
-@@ -354,7 +355,7 @@ _pam_krb5_options_init(pam_handle_t *pam
- 	if (strlen(options->realm) > 0) {
- 		krb5_set_default_realm(ctx, options->realm);
- 		if (options->debug) {
--			debug("configured realm '%s'", options->realm);
-+	  pam_syslog(pamh, LOG_DEBUG, "configured realm '%s'", options->realm);
- 		}
- 	}
- 
diff --git a/pam_krb5-2.2.22-1.tar.bz2 b/pam_krb5-2.2.22-1.tar.bz2
deleted file mode 100644
index 5861a11..0000000
--- a/pam_krb5-2.2.22-1.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f71461ba84d1716609670ed74bd515ec5b23a722b083f10a27b6f2a62c36bf9c
-size 340922
diff --git a/pam_krb5-2.3.1-1.tar.bz2 b/pam_krb5-2.3.1-1.tar.bz2
new file mode 100644
index 0000000..25ec9f6
--- /dev/null
+++ b/pam_krb5-2.3.1-1.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:faa8fb8d46f74a56352fc80001c1b1570c4ffb0f6b7a456bca227cffcd2dbb58
+size 413865
diff --git a/pam_krb5-2.3.1-log-choise.dif b/pam_krb5-2.3.1-log-choise.dif
new file mode 100644
index 0000000..a504c1c
--- /dev/null
+++ b/pam_krb5-2.3.1-log-choise.dif
@@ -0,0 +1,92 @@
+Index: pam_krb5-2.3.1-1/src/acct.c
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/acct.c
++++ pam_krb5-2.3.1-1/src/acct.c
+@@ -98,6 +98,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
+ 		krb5_free_context(ctx);
+ 		return PAM_SERVICE_ERR;
+ 	}
++	if (options->debug) {
++		debug("pam_acct_mgmt called for '%s', realm '%s'", user,
++			  options->realm);
++	}
+ 
+ 	/* Get information about the user and the user's principal name. */
+ 	userinfo = _pam_krb5_user_info_init(ctx, user, options->realm,
+Index: pam_krb5-2.3.1-1/src/auth.c
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/auth.c
++++ pam_krb5-2.3.1-1/src/auth.c
+@@ -116,9 +116,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ 		return PAM_SERVICE_ERR;
+ 	}
+ 	if (options->debug) {
+-		debug("called to authenticate '%s', realm '%s'", user,
+-		      options->realm);
++		debug("pam_authenticate called for '%s', realm '%s'", user,
++			  options->realm);
+ 	}
++
+ 	_pam_krb5_set_init_opts(ctx, gic_options, options);
+ 
+ 	/* Get information about the user and the user's principal name. */
+@@ -476,6 +477,11 @@ int
+ pam_sm_setcred(pam_handle_t *pamh, int flags,
+ 	       int argc, PAM_KRB5_MAYBE_CONST char **argv)
+ {
++	notice("pam_setcred (%s) called",
++		   (flags & PAM_ESTABLISH_CRED)?"establish credential":
++		   (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
++		   (flags & PAM_REFRESH_CRED)?"refresh credential":
++		   (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+ 	if (flags & PAM_ESTABLISH_CRED) {
+ 		return pam_sm_open_session(pamh, flags, argc, argv);
+ 	}
+Index: pam_krb5-2.3.1-1/src/password.c
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/password.c
++++ pam_krb5-2.3.1-1/src/password.c
+@@ -118,6 +118,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
+ 		krb5_free_context(ctx);
+ 		return PAM_SERVICE_ERR;
+ 	}
++	if (options->debug) {
++		debug("pam_chauthtok called (%s) for '%s', realm '%s'",
++			   (flags & PAM_PRELIM_CHECK) ?
++			   "preliminary check" :
++			   ((flags & PAM_UPDATE_AUTHTOK) ?
++				"updating authtok":
++				"unknown phase"),
++			   user,
++			   options->realm);
++	}
+ 	_pam_krb5_set_init_opts(ctx, gic_options, options);
+ 
+ 	/* Get information about the user and the user's principal name. */
+Index: pam_krb5-2.3.1-1/src/session.c
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/session.c
++++ pam_krb5-2.3.1-1/src/session.c
+@@ -103,6 +103,10 @@ pam_sm_open_session(pam_handle_t *pamh,
+ 		krb5_free_context(ctx);
+ 		return PAM_SERVICE_ERR;
+ 	}
++	if (options->debug) {
++		debug("pam_open_session called for '%s', realm '%s'", user,
++			  options->realm);
++	}
+ 
+ 	/* Get information about the user and the user's principal name. */
+ 	userinfo = _pam_krb5_user_info_init(ctx, user, options->realm,
+@@ -336,7 +340,10 @@ pam_sm_close_session(pam_handle_t *pamh,
+ 		krb5_free_context(ctx);
+ 		return PAM_SERVICE_ERR;
+ 	}
+-
++	if (options->debug) {
++		debug("pam_close_session called for '%s', realm '%s'", user,
++			  options->realm);
++	}
+ 	/* Get information about the user and the user's principal name. */
+ 	userinfo = _pam_krb5_user_info_init(ctx, user, options->realm,
+ 					    options->user_check,
diff --git a/pam_krb5-LINGUAS.dif b/pam_krb5-LINGUAS.dif
index 010c428..f49c52e 100644
--- a/pam_krb5-LINGUAS.dif
+++ b/pam_krb5-LINGUAS.dif
@@ -1,10 +1,9 @@
 --- po/LINGUAS
 +++ po/LINGUAS	2008/04/14 10:27:51
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,21 @@
 +bg
 +cs
 +da
-+de
 +es
 +fi
 +fr
diff --git a/pam_krb5-i18n.dif b/pam_krb5-i18n.dif
deleted file mode 100644
index bf91d76..0000000
--- a/pam_krb5-i18n.dif
+++ /dev/null
@@ -1,118 +0,0 @@
-Index: pam_krb5-2.2.22-1/configure.ac
-===================================================================
---- pam_krb5-2.2.22-1.orig/configure.ac
-+++ pam_krb5-2.2.22-1/configure.ac
-@@ -444,6 +444,24 @@ AC_SUBST(TESTHOST)
- AC_SUBST(default_ccache_dir)
- AC_SUBST(default_ccname_template)
- 
-+AC_PATH_PROG(XGETTEXT, xgettext)
-+if test -z "$XGETTEXT" ; then
-+    AC_MSG_ERROR(xgettext is missing; please install gettext.)
-+fi
-+
-+AM_GNU_GETTEXT([external])
-+AM_GNU_GETTEXT_VERSION(0.16)
-+
-+AH_VERBATIM([_ZZENABLE_NLS],
-+	    [#ifdef ENABLE_NLS
-+	     #include <libintl.h>
-+	     #define _(msgid) dgettext(PACKAGE, msgid)
-+	     #define N_(msgid) msgid
-+	     #else
-+	     #define _(msgid) (msgid)
-+	     #define N_(msgid) msgid
-+	     #endif /* ENABLE_NLS */])
-+
- AC_CONFIG_HEADER(config.h)
- AC_OUTPUT([
- Makefile
-@@ -467,4 +485,5 @@ tests/tools/klist_f
- tests/tools/klist_c
- tests/tools/klist_a
- tests/tools/klist_4
-+po/Makefile.in
- ])
-Index: pam_krb5-2.2.22-1/Makefile.am
-===================================================================
---- pam_krb5-2.2.22-1.orig/Makefile.am
-+++ pam_krb5-2.2.22-1/Makefile.am
-@@ -2,7 +2,7 @@ EXTRA_DIST = pam_krb5.spec TODO README R
- 
- CONFIGURE_DEPENDENCIES = $(top_srcdir)/pam_krb5.spec
- 
--SUBDIRS = src tests
-+SUBDIRS = src tests po
- 
- VERSION=$(shell rpm -q --specfile $(top_srcdir)/pam_krb5.spec --qf '%{version}\n' | head -n1)
- RELEASE=$(shell rpm -q --specfile $(top_srcdir)/pam_krb5.spec --qf '%{release}\n' | head -n1)
-Index: pam_krb5-2.2.22-1/config.h.in
-===================================================================
---- pam_krb5-2.2.22-1.orig/config.h.in
-+++ pam_krb5-2.2.22-1/config.h.in
-@@ -274,6 +274,19 @@
-  #define PAM_KRB5_GNUC_PRINTF(__x,__y)
-  #endif
- 
-+/* Define to 1 if translation of program messages to the user's native
-+ *    language is requested. */
-+#undef ENABLE_NLS
-+
-+#ifdef ENABLE_NLS
-+#include <libintl.h>
-+#define _(msgid) dgettext(PACKAGE, msgid)
-+#define N_(msgid) msgid
-+#else
-+#define _(msgid) (msgid)
-+#define N_(msgid) msgid
-+#endif /* ENABLE_NLS */
-+
- 
- /* Define to the proper qualifier (either const or nothing) for your PAM
-    implementation. */
-Index: pam_krb5-2.2.22-1/src/auth.c
-===================================================================
---- pam_krb5-2.2.22-1.orig/src/auth.c
-+++ pam_krb5-2.2.22-1/src/auth.c
-@@ -283,7 +283,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
- 	if ((retval != PAM_SUCCESS) &&
- 	    (retval != PAM_USER_UNKNOWN) &&
- 	    options->use_second_pass) {
--		i = _pam_krb5_prompt_for(pamh, "Password: ", &second_pass);
-+		i = _pam_krb5_prompt_for(pamh, _("Password: "), &second_pass);
- 		if ((i == PAM_SUCCESS) &&
- 		    (flags & PAM_DISALLOW_NULL_AUTHTOK) &&
- 		    (second_pass != NULL) &&
-Index: pam_krb5-2.2.22-1/src/password.c
-===================================================================
---- pam_krb5-2.2.22-1.orig/src/password.c
-+++ pam_krb5-2.2.22-1/src/password.c
-@@ -257,7 +257,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
- 		}
- 		if ((password == NULL) && (options->use_second_pass)) {
- 			/* Ask the user for a password. */
--			sprintf(prompt, "%s%sPassword: ",
-+			sprintf(prompt, _("%s%sPassword: "),
- 				options->banner,
- 				strlen(options->banner) > 0 ? " " : "");
- 			i = _pam_krb5_prompt_for(pamh, prompt, &password);
-@@ -345,10 +345,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
- 		 * okay with that, ask for one. */
- 		if ((password == NULL) && (retval == PAM_AUTHTOK_ERR)) {
- 			/* Ask for the new password twice. */
--			sprintf(prompt, "New %s%sPassword: ",
-+			sprintf(prompt, _("New %s%sPassword: "),
- 				options->banner,
- 				strlen(options->banner) > 0 ? " " : "");
--			sprintf(prompt2, "Repeat New %s%sPassword: ",
-+			sprintf(prompt2, _("Repeat New %s%sPassword: "),
- 				options->banner,
- 				strlen(options->banner) > 0 ? " " : "");
- 			i = _pam_krb5_prompt_for_2(pamh, prompt, &password,
-Index: pam_krb5-2.2.22-1/po/POTFILES.in
-===================================================================
---- /dev/null
-+++ pam_krb5-2.2.22-1/po/POTFILES.in
-@@ -0,0 +1,2 @@
-+src/auth.c
-+src/password.c
diff --git a/pam_krb5-init-podir.tar.gz b/pam_krb5-init-podir.tar.gz
deleted file mode 100644
index 1e992a7..0000000
--- a/pam_krb5-init-podir.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:51e14a32e2968d9cbb8229ef42ff8f8f4d51e68c225604e2fa9094d868857950
-size 6692
diff --git a/pam_krb5-po-Makevars.dif b/pam_krb5-po-Makevars.dif
new file mode 100644
index 0000000..6df362c
--- /dev/null
+++ b/pam_krb5-po-Makevars.dif
@@ -0,0 +1,13 @@
+Index: pam_krb5-2.3.1-1/po/Makevars
+===================================================================
+--- pam_krb5-2.3.1-1.orig/po/Makevars
++++ pam_krb5-2.3.1-1/po/Makevars
+@@ -8,7 +8,7 @@ subdir = po
+ top_builddir = ..
+ 
+ # These options get passed to xgettext.
+-XGETTEXT_OPTIONS = --keyword=_ --keyword=N_
++XGETTEXT_OPTIONS = --keyword=_ --keyword=N_ --keyword=Y_ 
+ 
+ # This is the copyright holder that gets inserted into the header of the
+ # $(DOMAIN).pot file.  Set this to the copyright holder of the surrounding
diff --git a/pam_krb5.changes b/pam_krb5.changes
index 18e9070..2699599 100644
--- a/pam_krb5.changes
+++ b/pam_krb5.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Fri Jun 20 16:26:30 CEST 2008 - mc@suse.de
+
+- version 2.3.1 
+  * translations for messages!
+  * added the ability to set up tokens in the rxk5 format
+  * added the "token_strategy" option to control which methods we'll
+    try to use for setting tokens
+  * merge "null_afs" functionality from Jan Iven
+  * when we're changing passwords, force at least one attempt to
+    authenticate using the KDC, even in the pathological case where
+    there's no previously- entered password and we were told not to ask
+    for one (brc#400611)
+
 -------------------------------------------------------------------
 Fri Jun  6 10:07:14 CEST 2008 - mc@suse.de
 
diff --git a/pam_krb5.spec b/pam_krb5.spec
index 8d88181..7242016 100644
--- a/pam_krb5.spec
+++ b/pam_krb5.spec
@@ -1,5 +1,5 @@
 #
-# spec file for package pam_krb5 (Version 2.2.22)
+# spec file for package pam_krb5 (Version 2.3.1)
 #
 # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
@@ -18,17 +18,16 @@ License:        GPL v2 or later
 Group:          Productivity/Networking/Security
 Provides:       pam_krb
 AutoReqProv:    on
-Version:        2.2.22
-Release:        36
+Version:        2.3.1
+Release:        1
 Summary:        PAM Module for Kerberos Authentication
 Url:            http://sourceforge.net/projects/pam-krb5/
 Source:         pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
-Source1:        pam_krb5-init-podir.tar.gz
 Source2:        pam_krb5-po.tar.gz
 Patch1:         pam_krb5-2.2.0-0.5-configure_ac.dif
 Patch2:         pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
-Patch3:         pam_krb5-2.2.20-1-debug-log-choice.dif
-Patch4:         pam_krb5-i18n.dif
+Patch3:         pam_krb5-2.3.1-log-choise.dif
+Patch4:         pam_krb5-po-Makevars.dif
 Patch5:         pam_krb5-LINGUAS.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -45,12 +44,11 @@ Authors:
 
 %prep
 %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
-%setup -a 1 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE}
 %setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE}
 %patch1
 %patch2
-%patch3
-%patch4 -p1 
+%patch3 -p1
+%patch4 -p1
 %patch5
 
 %build
@@ -62,6 +60,7 @@ CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE "         \
             --mandir=%{_mandir}  \
             --with-os-distribution="openSUSE" 
 make %{?jobs:-j%jobs}
+make -C po update-po
 make check
 
 %install
@@ -85,6 +84,17 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) /usr/bin/afs5log
 
 %changelog
+* Fri Jun 20 2008 mc@suse.de
+- version 2.3.1
+  * translations for messages!
+  * added the ability to set up tokens in the rxk5 format
+  * added the "token_strategy" option to control which methods we'll
+  try to use for setting tokens
+  * merge "null_afs" functionality from Jan Iven
+  * when we're changing passwords, force at least one attempt to
+  authenticate using the KDC, even in the pathological case where
+  there's no previously- entered password and we were told not to ask
+  for one (brc#400611)
 * Fri Jun 06 2008 mc@suse.de
 - update i18n files
 * Fri May 09 2008 mc@suse.de