diff options
| author | Simo Sorce <ssorce@redhat.com> | 2012-02-13 22:43:15 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-15 04:51:15 -0500 |
| commit | 0c6e04712899d879ddbe63f957bbf6d866fd2b70 (patch) | |
| tree | 6a75dd545bc33c1565a8092a61e5840fe291ce7a /daemons/ipa-kdb | |
| parent | c3c59ce15c48110a5b91a2953fef2f51af875899 (diff) | |
| download | freeipa-0c6e04712899d879ddbe63f957bbf6d866fd2b70.tar.gz freeipa-0c6e04712899d879ddbe63f957bbf6d866fd2b70.tar.xz freeipa-0c6e04712899d879ddbe63f957bbf6d866fd2b70.zip | |
ipa-kdb: set krblastpwdchange only when keys have been effectively changed
Diffstat (limited to 'daemons/ipa-kdb')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 9a3c86fb0..a0d468717 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1422,7 +1422,8 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, /* KADM5_LAST_PWD_CHANGE */ /* apparently, at least some versions of kadmin fail to set this flag * when they do include a pwd change timestamp in TL_DATA. - * So for now always check for it regardless. */ + * So for now check if KADM5_KEY_DATA has been set, which kadm5 + * always does on password changes */ #if KADM5_ACTUALLY_SETS_LAST_PWD_CHANGE if (entry->mask & KMASK_LAST_PWD_CHANGE) { if (!entry->n_tl_data) { @@ -1431,7 +1432,8 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, } #else - if (entry->n_tl_data) { + if (entry->n_tl_data && + entry->mask & KMASK_KEY_DATA) { #endif kerr = ipadb_get_tl_data(entry, KRB5_TL_LAST_PWD_CHANGE, |