MIT Kerberos kadm5_hook plugins calling kadmin functions

Russ Allbery eagle at
Mon Dec 9 23:26:45 EST 2013

Hello all,

The next version of krb5-sync will support a new feature where the
behavior of the synchronization depends on whether other principals exist
in the database.  (Specifically, it supports a configurable instance
which, if present, is synchronized as the main account password in Active
Directory rather than using the main principal in MIT Kerberos.)  This
requires the krb5-sync kadm5_hook plugin to make calls into libkadm5srv.

This works fine on Heimdal, but with MIT Kerberos 1.10.1 in Debian stable
it appears to corrupt the state of the db2 plugin.  If I make libkadm5srv
calls from the plugin prior to the account creation or password change,
the actual account creation or password change fails with
KRB5_KDB_DBNOTINITED, and then any subsequent attempt to manipulate
policies in the database causes kadmind to die with a segfault.

Is this expected in the sense that plugins simply cannot do this?  If not,
is this fixed in a later version of MIT Kerberos?

Is there any safe way to make (read-only) libkadm5_srv calls from inside a
kadm5_hook plugin?

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list