ipa-kdb: Fix legacy password hashes generation

We were not searching for objectclass so the test to se if a user had the
posixAccount attribute was failing and the user was not marked as ipa_user.
This in turn caused us to not synchronize legacy hashes by not trying to store
the userPassword attribute.

Fixes: https://fedorahosted.org/freeipa/ticket/1820

2 files changed, 2 insertions, 3 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index 28ec382d..93e9e206 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -283,9 +283,7 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
     krb5_principal mod_princ = NULL;
     krb5_boolean truexp = true;
 
-
-    /* Assume all principals with just one component as user principals */
-    if (entry->princ->length == 1) {
+    if (ied->ipa_user) {
         kerr = krb5_dbe_lookup_mod_princ_data(context, entry,
                                               &mod_time, &mod_princ);
         if (kerr) {
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 249aed2f..fdd834f3 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -53,6 +53,7 @@ static char *std_principal_attrs[] = {
     "nsaccountlock",
     "passwordHistory",
 
+    "objectClass",
     NULL
 };