--- kadm5-0.2.3/kadm5.c	2003-05-28 06:51:42.000000000 -0400
+++ kadm5-0.2.3-r1/kadm5.c	2011-10-21 15:00:28.000000000 -0400
@@ -610,24 +610,6 @@
 		RETURN_FALSE;
 	}
 
-	/*
-	 * If -policy was not specified, and -clearpolicy was not
-	 * specified, and the policy "default" exists, assign it.  If
-	 * -clearpolicy was specified, then KADM5_POLICY_CLR should be
-	 * unset, since it is never valid for kadm5_create_principal.
-	 */
-	if ((! (mask & KADM5_POLICY)) && (! (mask & KADM5_POLICY_CLR))) {
-		if (! kadm5_get_policy(handle, "default", &defpol)) {
-			php_error(E_WARNING, "No policy specified for %s; assigning \"default\"", princstr);
-			princ.policy = "default";
-			mask |= KADM5_POLICY;
-			(void) kadm5_free_policy_ent(handle, &defpol);
-		} else {
-			php_error(E_WARNING, "No policy specified for %s; defaulting to no policy", princstr);
-		}
-	}
-	mask &= ~KADM5_POLICY_CLR;
-
 	/* parsing options */
 	if (options) {
 		HashTable *options_hash;
@@ -700,6 +682,24 @@
 		}
 	}
 
+	/*
+	 * If -policy was not specified, and -clearpolicy was not
+	 * specified, and the policy "default" exists, assign it.  If
+	 * -clearpolicy was specified, then KADM5_POLICY_CLR should be
+	 * unset, since it is never valid for kadm5_create_principal.
+	 */
+	if ((! (mask & KADM5_POLICY)) && (! (mask & KADM5_POLICY_CLR))) {
+		if (! kadm5_get_policy(handle, "default", &defpol)) {
+			php_error(E_WARNING, "No policy specified for %s; assigning \"default\"", princstr);
+			princ.policy = "default";
+			mask |= KADM5_POLICY;
+			(void) kadm5_free_policy_ent(handle, &defpol);
+		} else {
+			php_error(E_WARNING, "No policy specified for %s; defaulting to no policy", princstr);
+		}
+	}
+	mask &= ~KADM5_POLICY_CLR;
+
 	if (randkey) {
 		princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; /* set notix */
 		mask |= KADM5_ATTRIBUTES;