diff --git a/lib/kadm5/ent_setup.c b/lib/kadm5/ent_setup.c
index ca5b2ed55..da12ddd61 100644
--- a/lib/kadm5/ent_setup.c
+++ b/lib/kadm5/ent_setup.c
@@ -40,46 +40,53 @@
 
 RCSID("$Id$");
 
-#define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0);
+#define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0)
+
+static void
+attr_to_flags(unsigned attr, HDBFlags *flags)
+{
+    flags->postdate =		!(attr & KRB5_KDB_DISALLOW_POSTDATED);
+    flags->forwardable =	!(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
+    flags->initial =	       !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
+    flags->renewable =		!(attr & KRB5_KDB_DISALLOW_RENEWABLE);
+    flags->proxiable =		!(attr & KRB5_KDB_DISALLOW_PROXIABLE);
+    /* DUP_SKEY */
+    flags->invalid =	       !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
+    flags->require_preauth =   !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
+    /* HW_AUTH */
+    flags->server =		!(attr & KRB5_KDB_DISALLOW_SVR);
+    flags->change_pw = 	       !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
+}
 
 kadm5_ret_t
-_kadm5_setup_entry(hdb_entry *ent, kadm5_principal_ent_t princ, u_int32_t mask)
+_kadm5_setup_entry(hdb_entry *ent, kadm5_principal_ent_t princ, 
+		   kadm5_principal_ent_t def, u_int32_t mask)
 {
     if(mask & KADM5_PRINC_EXPIRE_TIME)
 	set_value(ent->valid_end, princ->princ_expire_time);
     if(mask & KADM5_PW_EXPIRATION)
 	set_value(ent->pw_end, princ->pw_expiration);
-    if(mask & KADM5_ATTRIBUTES){
-	ent->flags.postdate = 
-	    !(princ->attributes & KRB5_KDB_DISALLOW_POSTDATED);
-	ent->flags.forwardable = 
-	    !(princ->attributes & KRB5_KDB_DISALLOW_FORWARDABLE);
-	ent->flags.initial = 
-	    !!(princ->attributes & KRB5_KDB_DISALLOW_TGT_BASED);
-	ent->flags.renewable = 
-	    !(princ->attributes & KRB5_KDB_DISALLOW_RENEWABLE);
-	ent->flags.proxiable = 
-	    !(princ->attributes & KRB5_KDB_DISALLOW_PROXIABLE);
-	/* DUP_SKEY */
-	ent->flags.invalid = 
-	    !!(princ->attributes & KRB5_KDB_DISALLOW_ALL_TIX);
-	ent->flags.require_preauth = 
-	    !!(princ->attributes & KRB5_KDB_REQUIRES_PRE_AUTH);
-	/* HW_AUTH */
-	ent->flags.server = 
-	    !(princ->attributes & KRB5_KDB_DISALLOW_SVR);
-	ent->flags.change_pw = 
-	    !!(princ->attributes & KRB5_KDB_PWCHANGE_SERVICE);
-	/* SUPPPORT_DESMD5 */
-	/* NEW_PRINC */
-    
+    if(mask & KADM5_ATTRIBUTES)
+	attr_to_flags(princ->attributes, &ent->flags);
+    else if(def){
+	/* attr_to_flags(def->attributes, &ent->flags); */
+	ent->flags.client = 1;
+	ent->flags.server = 1;
+	ent->flags.forwardable = 1;
+	ent->flags.proxiable = 1;
+	ent->flags.renewable = 1;
+	ent->flags.postdate = 1;
     }
     if(mask & KADM5_MAX_LIFE)
 	set_value(ent->max_life, princ->max_life);
+    else if(def && def->max_life)
+	set_value(ent->max_life, def->max_life);
     if(mask & KADM5_KVNO)
 	ent->kvno = princ->kvno;
     if(mask & KADM5_MAX_RLIFE)
 	set_value(ent->max_renew, princ->max_renewable_life);
+    else if(def && def->max_renewable_life)
+	set_value(ent->max_renew, def->max_renewable_life);
     if(mask & KADM5_TL_DATA){
 	/* XXX */
     }