Due to an idiosyncrasy of kadmin, the right flag to indicate
krbLastPwdChange is changed is not set. The previous check ended up
always saving the data in all cases because the data was always present.
Restrict it to store a password change when there is actually new key
material.

This prevents also audit operations to cause replications.

Simo.
-- 
Simo Sorce * Red Hat, Inc * New York
>From 6ce7908595cfbc5a38d929c84d7cbe783ac92f15 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Mon, 13 Feb 2012 22:43:15 -0500
Subject: [PATCH 5/5] ipa-kdb: set krblastpwdchange only when keys have been
 effectively changed

---
 daemons/ipa-kdb/ipa_kdb_principals.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 9a3c86fb0c249a3c1c0f66fb4ddf67a1890df73f..a0d4687175d8283020ce9da83b355dd1c94051b0 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1422,7 +1422,8 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
     /* KADM5_LAST_PWD_CHANGE */
     /* apparently, at least some versions of kadmin fail to set this flag
      * when they do include a pwd change timestamp in TL_DATA.
-     * So for now always check for it regardless. */
+     * So for now check if KADM5_KEY_DATA has been set, which kadm5
+     * always does on password changes */
 #if KADM5_ACTUALLY_SETS_LAST_PWD_CHANGE
     if (entry->mask & KMASK_LAST_PWD_CHANGE) {
         if (!entry->n_tl_data) {
@@ -1431,7 +1432,8 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
         }
 
 #else
-    if (entry->n_tl_data) {
+    if (entry->n_tl_data &&
+        entry->mask & KMASK_KEY_DATA) {
 #endif
         kerr = ipadb_get_tl_data(entry,
                                  KRB5_TL_LAST_PWD_CHANGE,
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to