MIT Kerberos kadm5_hook plugins calling kadmin functions

Greg Hudson ghudson at MIT.EDU
Tue Dec 10 00:12:43 EST 2013

On 12/09/2013 11:26 PM, Russ Allbery wrote:
> This works fine on Heimdal, but with MIT Kerberos 1.10.1 in Debian stable
> it appears to corrupt the state of the db2 plugin.

I can see how problems would result; kadm5_destroy() calls
krb5_db_fini() on the context.  kadmind seg faulting is probably a bug,
but the KRB5_KDB_DBNOTINITED error is kind of expected.  We wouldn't
have this problem if DB handles were independent of krb5 contexts, but
that isn't our current design.

I think your code should work if you create a new context with
kadm5_init_krb5_context() instead of using the one passed in through the
plugin interface.  You should be able to safely use the passed-in
context for krb5_db operations, but not to create a kadm5srv handle.

More information about the Kerberos mailing list