Index: modules/univention/s4connector/s4/password.py
===================================================================
--- modules/univention/s4connector/s4/password.py	(Revision 51441)
+++ modules/univention/s4connector/s4/password.py	(Arbeitskopie)
@@ -361,10 +361,10 @@
 		if ctr3.num_old_keys != 0 and ctr3.num_old_keys != ctr3.num_keys:
 			# TODO: Recommended policy is to fill up old_keys to match num_keys, this will result in a traceback, can we do something better?
 			ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos num_keys = %s" % ctr3.num_keys)
-			for k in ctr4.keys:
+			for k in ctr3.keys:
 				ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr3.key.keytype: %s" % k.keytype)
 			ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: Primary:Kerberos num_old_keys = %s" % ctr3.num_old_keys)
-			for k in ctr4.old_keys:
+			for k in ctr3.old_keys:
 				ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ctr3.old_key.keytype: %s" % k.keytype)
 
 		krb = drsblobs.package_PrimaryKerberosBlob()