Don't set krbLastPwdChange when setting a host OTP password.

We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.

If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.

https://fedorahosted.org/freeipa/ticket/1357

1 files changed, 30 insertions, 20 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 2b1c7d1e3..caca0fc70 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -793,6 +793,7 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
     char *errMsg = "Internal operations error\n";
     struct ipapwd_krbcfg *krbcfg = NULL;
     char *principal = NULL;
+    Slapi_Value *ipahost;
 
     LOG_TRACE("=>\n");
 
@@ -828,26 +829,6 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
     /* prepare changes that can be made only as root */
     smods = slapi_mods_new();
 
-    /* change Last Password Change field with the current date */
-    if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) {
-        LOG_FATAL("failed to parse current date (buggy gmtime_r ?)\n");
-        goto done;
-    }
-    strftime(timestr, GENERALIZED_TIME_LENGTH+1,
-             "%Y%m%d%H%M%SZ", &utctime);
-    slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
-                          "krbLastPwdChange", timestr);
-
-    /* set Password Expiration date */
-    if (!gmtime_r(&(pwdop->pwdata.expireTime), &utctime)) {
-        LOG_FATAL("failed to parse expiration date (buggy gmtime_r ?)\n");
-        goto done;
-    }
-    strftime(timestr, GENERALIZED_TIME_LENGTH+1,
-             "%Y%m%d%H%M%SZ", &utctime);
-    slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
-                          "krbPasswordExpiration", timestr);
-
     /* This was a mod operation on an existing entry, make sure we also update
      * the password history based on the entry we saved from the pre-op */
     if (IPAPWD_OP_MOD == pwdop->pwd_op) {
@@ -869,6 +850,35 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
         }
     }
 
+    /* set Password Expiration date */
+    if (!gmtime_r(&(pwdop->pwdata.expireTime), &utctime)) {
+        LOG_FATAL("failed to parse expiration date (buggy gmtime_r ?)\n");
+        goto done;
+    }
+    strftime(timestr, GENERALIZED_TIME_LENGTH+1,
+             "%Y%m%d%H%M%SZ", &utctime);
+    slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
+                          "krbPasswordExpiration", timestr);
+
+    /* Don't set a last password change password on host passwords. This
+     * attribute is used to tell whether we have a valid keytab. If we
+     * set it on userPassword it confuses enrollment.
+     */
+    ipahost = slapi_value_new_string("ipaHost");
+    if (!pwdop->pwdata.target || (slapi_entry_attr_has_syntax_value(pwdop->pwdata.target, SLAPI_ATTR_OBJECTCLASS, ipahost)) == 0) {
+        /* change Last Password Change field with the current date */
+        if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) {
+            LOG_FATAL("failed to parse current date (buggy gmtime_r ?)\n");
+            slapi_value_free(&ipahost);
+            goto done;
+        }
+        strftime(timestr, GENERALIZED_TIME_LENGTH+1,
+                 "%Y%m%d%H%M%SZ", &utctime);
+        slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
+                              "krbLastPwdChange", timestr);
+    }
+    slapi_value_free(&ipahost);
+
     ret = ipapwd_apply_mods(pwdop->pwdata.dn, smods);
     if (ret)
         LOG("Failed to set additional password attributes in the post-op!\n");