diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c
index 2ce78c6fa..d57ed9e3b 100644
--- a/lib/krb5/changepw.c
+++ b/lib/krb5/changepw.c
@@ -577,7 +577,7 @@ change_password_loop (krb5_context	context,
 	for (a = ai; !done && a != NULL; a = a->ai_next) {
 	    int replied = 0;
 
-	    sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	    sock = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
 	    if (sock < 0)
 		continue;
 	    rk_cloexec(sock);
diff --git a/lib/krb5/kcm.c b/lib/krb5/kcm.c
index fe9144096..d5f38c5aa 100644
--- a/lib/krb5/kcm.c
+++ b/lib/krb5/kcm.c
@@ -105,7 +105,7 @@ try_unix_socket(krb5_context context,
     krb5_error_code ret;
     int fd;
 
-    fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if (fd < 0)
 	return KRB5_CC_IO;
     rk_cloexec(fd);
diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
index 3cea08960..f3e2e78e1 100644
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -180,6 +180,11 @@ struct _krb5_krb_auth_data;
 #define O_CLOEXEC 0
 #endif
 
+#ifndef SOCK_CLOEXEC
+#define SOCK_CLOEXEC 0
+#endif
+
+
 #define KRB5_BUFSIZ 1024
 
 typedef enum {
diff --git a/lib/krb5/send_to_kdc.c b/lib/krb5/send_to_kdc.c
index b236b070d..c21c18c63 100644
--- a/lib/krb5/send_to_kdc.c
+++ b/lib/krb5/send_to_kdc.c
@@ -288,7 +288,7 @@ send_via_proxy (krb5_context context,
 	return krb5_eai_to_heim_errno(ret, errno);
 
     for (a = ai; a != NULL; a = a->ai_next) {
-	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol | SOCK_CLOEXEC);
 	if (s < 0)
 	    continue;
 	rk_cloexec(s);
@@ -411,7 +411,7 @@ krb5_sendto (krb5_context context,
 		 continue;
 
 	     for (a = ai; a != NULL; a = a->ai_next) {
-		 fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+		 fd = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
 		 if (fd < 0)
 		     continue;
 		 rk_cloexec(fd);