MIT Kerberos kadm5_hook plugins calling kadmin functions
Russ Allbery
eagle at eyrie.org
Tue Dec 10 01:52:58 EST 2013
Greg Hudson <ghudson at MIT.EDU> writes:
> On 12/09/2013 11:26 PM, Russ Allbery wrote:
>> This works fine on Heimdal, but with MIT Kerberos 1.10.1 in Debian
>> stable it appears to corrupt the state of the db2 plugin.
> I can see how problems would result; kadm5_destroy() calls
> krb5_db_fini() on the context. kadmind seg faulting is probably a bug,
> but the KRB5_KDB_DBNOTINITED error is kind of expected. We wouldn't
> have this problem if DB handles were independent of krb5 contexts, but
> that isn't our current design.
> I think your code should work if you create a new context with
> kadm5_init_krb5_context() instead of using the one passed in through the
> plugin interface. You should be able to safely use the passed-in
> context for krb5_db operations, but not to create a kadm5srv handle.
Beautiful, thank you! That works great. I should have thought of trying
that, but wasn't thinking of the database as being tied to the underlying
Kerberos context.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list