From 0c6e04712899d879ddbe63f957bbf6d866fd2b70 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Mon, 13 Feb 2012 22:43:15 -0500
Subject: ipa-kdb: set krblastpwdchange only when keys have been effectively
 changed

---
 daemons/ipa-kdb/ipa_kdb_principals.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'daemons/ipa-kdb/ipa_kdb_principals.c')

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 9a3c86fb0..a0d468717 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1422,7 +1422,8 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
     /* KADM5_LAST_PWD_CHANGE */
     /* apparently, at least some versions of kadmin fail to set this flag
      * when they do include a pwd change timestamp in TL_DATA.
-     * So for now always check for it regardless. */
+     * So for now check if KADM5_KEY_DATA has been set, which kadm5
+     * always does on password changes */
 #if KADM5_ACTUALLY_SETS_LAST_PWD_CHANGE
     if (entry->mask & KMASK_LAST_PWD_CHANGE) {
         if (!entry->n_tl_data) {
@@ -1431,7 +1432,8 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
         }
 
 #else
-    if (entry->n_tl_data) {
+    if (entry->n_tl_data &&
+        entry->mask & KMASK_KEY_DATA) {
 #endif
         kerr = ipadb_get_tl_data(entry,
                                  KRB5_TL_LAST_PWD_CHANGE,
-- 
cgit