From 98a380ce0d20fed013a3d2a450e223bd9c470e4a Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Thu, 28 Feb 2013 17:14:41 -0600
Subject: [PATCH] Fix KDC verification failure due to bonding utility failing
 to obtain host heys See
 http://kerberos.996246.n3.nabble.com/kadmin-kadmind-ext-keytab-issue-td11529.html
 for fix

---
 acl-updater/plugin/plugin.cpp | 4 ++--
 confskel/heimdal/kadmind.acl  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/acl-updater/plugin/plugin.cpp b/acl-updater/plugin/plugin.cpp
index a2ac3b2..f67fe0b 100644
--- a/acl-updater/plugin/plugin.cpp
+++ b/acl-updater/plugin/plugin.cpp
@@ -87,7 +87,7 @@ post_modify (Slapi_PBlock *pb)
 				stream << "\n\n";
 	
 				stream << "# Internal Kerberos administration account\n";
-				stream << TQString("kadmin/%1@%2\tall").arg(rootaccountname).arg(realmname);
+				stream << TQString("kadmin/%1@%2\tall,get-keys").arg(rootaccountname).arg(realmname);
 				stream << "\n\n";
 	
 				stream << "# Configured realm administrators\n";
@@ -98,7 +98,7 @@ post_modify (Slapi_PBlock *pb)
 					krbConvertedUser.truncate(cmpos);
 					krbConvertedUser.remove(0, eqpos);
 					krbConvertedUser.append("@"+realmname);
-					stream << krbConvertedUser << "\tall\n";
+					stream << krbConvertedUser << "\tall,get-keys\n";
 				}
 				file.close();
 			}
diff --git a/confskel/heimdal/kadmind.acl b/confskel/heimdal/kadmind.acl
index b534354..29c2cd2 100644
--- a/confskel/heimdal/kadmind.acl
+++ b/confskel/heimdal/kadmind.acl
@@ -2,7 +2,7 @@
 # All changes will be lost!
 
 # Internal Kerberos administration account
-kadmin/@@@ROOTUSER@@@@@@@REALM_UCNAME@@@	all
+kadmin/@@@ROOTUSER@@@@@@@REALM_UCNAME@@@	all,get-keys
 
 # Configured realm administrators
-@@@ADMINUSER@@@@@@@REALM_UCNAME@@@	all
\ No newline at end of file
+@@@ADMINUSER@@@@@@@REALM_UCNAME@@@	all,get-keys