From 753e63627404e8dc88e480c2100a98de1ec87d79 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Tue, 22 Sep 2020 18:27:05 -0500
Subject: [PATCH] hdb: Fix new key delay special casing of kvno 1

---
 lib/hdb/common.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index 44fda92f6..d65642948 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -1194,11 +1194,10 @@ fix_keys(krb5_context context,
             continue;
 
         /*
-         * Ignore the keyset with kvno 1 when the entry is at 2 because
-         * kadmin's `ank -r' command immediately changes the keys.
+         * Ignore the keyset with kvno 1 when the entry has better kvnos
+         * because kadmin's `ank -r' command immediately changes the keys.
          */
-        if (h->entry.kvno == 2 && keys.val[i].kvno == 1 &&
-            keys.val[i].set_time[0] - best < 30)
+        if (kvno > 1 && keys.val[i].kvno == 1)
             continue;
 
         /*