On Thu, Dec 13, 2012 at 06:05:20PM -0500, Greg Hudson via RT wrote:
> The problem seems bigger than just this symptom:

Agreed.

> * krb5_ldap_put_principal doesn't check whether KADM5_TL_DATA is set in 
> entry->mask.  So any tl_data in the principal will be written out in any 
> update, whether normalized to type-specific LDAP attributes or marshalled 
> into krbExtraData.  If you're going to use the patch you provided as a 
> downstream workaround, I'd suggest nulling out entry->tl_data temporarily 
> instead of just resetting the last-admin-unlock value.

Yes, I think that'll work.

Thanks,

Nalin