From 290d7e75f25c3c60a2665ba19282649fe5a7e3e5 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Fri, 31 May 2019 00:05:56 +0000
Subject: [PATCH] Fixes #536 - Note that this can cause unexpected behavior
 with certain backends

When running with verify-password-quality and a back-end that stores
history (such as heimdal-history) this command can cause an update to
the database meaning the password can no longer be used with this
principal in the future
---
 kadmin/kadmin.1 | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kadmin/kadmin.1 b/kadmin/kadmin.1
index 73723ce3d..f6e970776 100644
--- a/kadmin/kadmin.1
+++ b/kadmin/kadmin.1
@@ -329,7 +329,13 @@ Run the password quality check function locally.
 You can run this on the host that is configured to run the kadmind
 process to verify that your configuration file is correct.
 The verification is done locally, if kadmin is run in remote mode,
-no rpc call is done to the server.
+no rpc call is done to the server. NOTE: if the environment has
+verify-password-quality configured to use a back-end that stores
+password history (such as heimdal-history), running
+verify-quality-password will cause an update to the password
+database meaning that merely verifying the quality of the password
+using verify-quality-password invalidates the use of that
+principal/password in the future.
 .Ed
 .Pp
 .Nm privileges