Don't set krbLastPwdChange when setting a host OTP password.

We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.

If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.

https://fedorahosted.org/freeipa/ticket/1357

1 files changed, 9 insertions, 0 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index f1da29321..cb9af98e4 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -141,6 +141,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 	struct berval	*extop_value = NULL;
 	BerElement	*ber = NULL;
 	Slapi_Entry *targetEntry=NULL;
+	Slapi_Value *objectclass=NULL;
 	char *attrlist[] = {"*", "passwordHistory", NULL };
 	struct ipapwd_data pwdata;
 	int is_krb, is_smb;
@@ -288,6 +289,14 @@ parse_req_done:
 		goto free_and_return;
 	 }
 
+	/* When setting the password for host principals do not set kerberos
+	 * keys */
+	objectclass = slapi_value_new_string("ipaHost");
+	if ((slapi_entry_attr_has_syntax_value(targetEntry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) {
+		is_krb = 0;
+	}
+	slapi_value_free(&objectclass);
+
 	 /* First thing to do is to ask access control if the bound identity has
 	  * rights to modify the userpassword attribute on this entry. If not,
 	  * then we fail immediately with insufficient access. This means that