Return default TL_DATA is krbExtraData is missing

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/937
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

1 files changed, 10 insertions, 1 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index f2a5a417e..ff8370b1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -95,6 +95,8 @@ static char *std_principal_obj_classes[] = {
 
 #define STD_PRINCIPAL_OBJ_CLASSES_SIZE (sizeof(std_principal_obj_classes) / sizeof(char *) - 1)
 
+#define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
+
 static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
                                       char *attrname,
                                       krb5_tl_data **result, int *num)
@@ -163,7 +165,7 @@ done:
 static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
                                          krb5_int16 type,
                                          krb5_ui_2 length,
-                                         krb5_octet *data)
+                                         const krb5_octet *data)
 {
     krb5_error_code kerr;
     krb5_tl_data *new_td = NULL;
@@ -595,6 +597,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
         entry->tl_data = res_tl_data;
         entry->n_tl_data = result;
     case ENOENT:
+        /* The kadmin utility expects always at least KRB5_TL_MOD_PRINC tl_data
+         * to be available. So if krbExtraData is missing (may happen when a
+         * user is created but no password has been set yet) then add a default
+         * one. */
+        kerr = ipadb_set_tl_data(entry, KRB5_TL_MOD_PRINC,
+                                 sizeof(DEFAULT_TL_DATA_CONTENT),
+                                 (const krb5_octet *)DEFAULT_TL_DATA_CONTENT);
         break;
     default:
         kerr = KRB5_KDB_INTERNAL_ERROR;