MIT Kerberos kadm5_hook plugins calling kadmin functions

Russ Allbery eagle at
Tue Dec 10 01:52:58 EST 2013

Greg Hudson <ghudson at MIT.EDU> writes:
> On 12/09/2013 11:26 PM, Russ Allbery wrote:

>> This works fine on Heimdal, but with MIT Kerberos 1.10.1 in Debian
>> stable it appears to corrupt the state of the db2 plugin.

> I can see how problems would result; kadm5_destroy() calls
> krb5_db_fini() on the context.  kadmind seg faulting is probably a bug,
> but the KRB5_KDB_DBNOTINITED error is kind of expected.  We wouldn't
> have this problem if DB handles were independent of krb5 contexts, but
> that isn't our current design.

> I think your code should work if you create a new context with
> kadm5_init_krb5_context() instead of using the one passed in through the
> plugin interface.  You should be able to safely use the passed-in
> context for krb5_db operations, but not to create a kadm5srv handle.

Beautiful, thank you!  That works great.  I should have thought of trying
that, but wasn't thinking of the database as being tied to the underlying
Kerberos context.

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list