Index: include/krb5/krb5.hin
===================================================================
--- include/krb5/krb5.hin	(revision 18810)
+++ include/krb5/krb5.hin	(working copy)
@@ -2408,6 +2408,7 @@
     krb5_preauthtype *preauth_list;
     int preauth_list_length;
     krb5_data *salt;
+    int password_change_prompt;
 } krb5_get_init_creds_opt;
 
 #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE	0x0001
@@ -2418,8 +2419,8 @@
 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST	0x0020
 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST	0x0040
 #define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080
+#define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT	0x0100
 
-
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_init
 (krb5_get_init_creds_opt *opt);
@@ -2466,8 +2467,11 @@
 (krb5_get_init_creds_opt *opt,
 		krb5_data *salt);
 
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_change_password_prompt
+(krb5_get_init_creds_opt *opt,
+		int prompt);
 
-
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password
 (krb5_context context,
Index: lib/krb5/krb/gic_opt.c
===================================================================
--- lib/krb5/krb/gic_opt.c	(revision 18810)
+++ lib/krb5/krb/gic_opt.c	(working copy)
@@ -63,3 +63,11 @@
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
    opt->salt = salt;
 }
+
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, int prompt)
+{
+   opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
+   opt->password_change_prompt = prompt;
+}
+
Index: lib/krb5/krb/gic_pwd.c
===================================================================
--- lib/krb5/krb/gic_pwd.c	(revision 18810)
+++ lib/krb5/krb/gic_pwd.c	(working copy)
@@ -182,6 +182,15 @@
        (prompter == NULL))
       goto cleanup;
 
+   /* historically the default has been to prompt for password change.
+    * if the change password prompt option has not been set, we continue
+    * to prompt.  Prompting is only disabled if the option has been set
+    * and the value has been set to false.
+    */
+   if ((options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT) &&
+       !options->change_password_prompt)
+       goto cleanup;
+
    /* ok, we have an expired password.  Give the user a few chances
       to change it */