diff --git a/SOURCES/krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch b/SOURCES/krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch
new file mode 100644
index 0000000..e17972b
--- /dev/null
+++ b/SOURCES/krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch
@@ -0,0 +1,53 @@
+From 25e0656fdf9862faf9aa91288023776e9a47caad Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Fri, 7 Aug 2015 15:35:58 -0400
+Subject: [PATCH] Do not allow stream socket retries in libkrad
+
+Before this patch, libkrad would follow the same exact logic for all
+socket types when the retries parameter was non-zero.  This meant that
+when connecting with SOCK_STREAM, multiple requests were sent in case
+of packet drops, which, of course, cannot happen for SOCK_STREAM.
+
+Instead, just disable retries for SOCK_STREAM sockets.
+
+[ghudson@mit.edu: minor wording edits]
+
+ticket: 8229 (new)
+target_version: 1.13.3
+tags: pullup
+---
+Patch for RH Bug #1251586 ("KDC sends multiple requests to ipa-otpd
+for the same authentication")
+---
+ src/include/krad.h    | 3 ++-
+ src/lib/krad/remote.c | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/include/krad.h b/src/include/krad.h
+index 913464c..e4edb52 100644
+--- a/src/include/krad.h
++++ b/src/include/krad.h
+@@ -251,7 +251,8 @@ krad_client_free(krad_client *client);
+  *  - hostname:service
+  *
+  * The timeout parameter (milliseconds) is the total timeout across all remote
+- * hosts (when DNS returns multiple entries) and all retries.
++ * hosts (when DNS returns multiple entries) and all retries.  For stream
++ * sockets, the retries parameter is ignored and no retries are performed.
+  *
+  * The cb function will be called with the data argument when either a response
+  * is received or the request times out on all possible remote hosts.
+diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
+index 795485f..aaabffd 100644
+--- a/src/lib/krad/remote.c
++++ b/src/lib/krad/remote.c
+@@ -448,6 +448,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
+     krb5_error_code retval;
+     request *r;
+ 
++    if (rr->info->ai_socktype == SOCK_STREAM)
++        retries = 0;
++
+     r = TAILQ_FIRST(&rr->list);
+     retval = krad_packet_new_request(rr->kctx, rr->secret, code, attrs,
+                                      (krad_packet_iter_cb)iterator, &r, &tmp);
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index d405896..dd47276 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12.2
-Release: 14%{?dist}
+Release: 15%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -133,6 +133,7 @@ Patch321: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
 Patch322: krb5-CVE_2014_5354_support_keyless_principals_in_LDAP.patch
 Patch323: krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.12.2-final.patch
 Patch324: krb5-1.13_kinit_C_loop_krb5bug243.patch
+Patch325: krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -403,7 +404,8 @@ chmod u+x src/util/paste-kdcproxy.py
 %patch322 -p1 -b .krb5-cve_2014_5354_support_keyless_principals_in_ldap
 %patch323 -p1 -b .krb5_cve_2014_9421_2014_9422_2014_9423_2014_5352_krb5-1.12.2-final
 %patch324 -p1 -b .krb5_1_13_kinit_C_loop_krb5bug243
-
+%patch325 -p1 -b .krb5-1.13.3-do_not_allow_stream_socket_retries_in_libkrad
+ 
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -1083,6 +1085,12 @@ exit 0
 
 
 %changelog
+* Wed Aug 26 2015 Roland Mainz <rmainz@redhat.com> - 1.12.2-15
+- Add a patch to fix RedHat bug #1256870 ("KDC sends multiple
+  requests to ipa-otpd for the same authentication") which causes
+  the KDC to send multiple retries to ipa-otpd for TCP transports
+  while it should only be done for UDP.
+
 * Mon Jan 26 2015 Roland Mainz <rmainz@redhat.com> - 1.12.2-14
 - fix for kinit -C loops (#1184629, MIT/krb5 issue 243, "Do not
   loop on principal unknown errors").