Programmer error! Bad Admin server handle

Thu Feb 14 04:27:58 EST 2008

Hello,

for a project that is mainly developed in Python/Zope, I need to wrap
some functions of the kadm5-clnt lib. In particular, I need

kadm5_create_principal
kadm5_delete_principal
kadm5_chpass_principal

to be wrapped into a Python extension. Unfortunately, I'm not very
familiar with C, so I'm a bit lost here.
So far I checked out the PyKerberos extension from Apple's
Calenderserver project and extended it by a kadm5 module, which
basically consists of the following code (I use the
kadm5_get_principals method for testing to avoid potentially dangerous
writes to our Kerberos DB):

--- snip ---
#include <Python.h>

#include <sys/stat.h>
#include <sys/types.h>
#include <com_err.h>

#include <krb5.h>

#include "admin.h"

static PyObject *k5_error;

#define RETURN_ON_ERROR(message, code) \
  do if (code != 0) \
  { \
    const char *error; \
    error = krb5_get_error_message(ctx, code); \
    PyErr_Format(k5_error, "%s: %s", message, error); \
    krb5_free_error_message(ctx, error); \
    return NULL; \
  } while (0)

static PyObject *getPrincipals(PyObject *self, PyObject *args)
{
    char *client;
    char *pass;
    char *realm;
    void **handle;
    char ***princs;
    int *count;
    krb5_context ctx;
    krb5_error_code code = 0;

    code = krb5_init_context(&ctx);
    RETURN_ON_ERROR("krb5_init_context()", code);

    if (!PyArg_ParseTuple(args, "sss", &client, &pass, &realm))
      return NULL;

    code = kadm5_init_with_password(client, pass, KADM5_ADMIN_SERVICE,
                realm, KADM5_STRUCT_VERSION_1, KADM5_API_VERSION_1,
                handle);
    RETURN_ON_ERROR("kadm5_init_with_password()", code);

    code = kadm5_get_principals(&handle, "*", princs, count);
    RETURN_ON_ERROR("kadm5_get_principals()", code);

/*    return Py_BuildValue("s", &princs); */
    return Py_BuildValue("");
}

static PyMethodDef kadm5Methods[] = {
    {"kadm5_get_principals", getPrincipals, METH_VARARGS, "Test."},
    {NULL, NULL, 0, NULL}        /* Sentinel */
};

PyMODINIT_FUNC initkadm5(void)
{
    PyObject *module, *dict;

    initialize_krb5_error_table();

    module = Py_InitModule("kadm5", kadm5Methods);
    dict = PyModule_GetDict(module);
    k5_error = PyErr_NewException("PyKerberos.kadm5.Error", NULL, NULL);
    PyDict_SetItemString(dict, "Error", k5_error);
}
--- snap ---

If you ignore the Python wrapping stuff, you'll see that the code
consecutively calls kadm5_init_with_password and kadm5_get_principals,
where the latter doesn't accept the server-handle referenced by the
first.
kadm5_init_with_password returns "correct" errors, if I provide an
unconfigured realm or a wrong client_name/password combination, so
that's not it.
I don't know, if I did all the (de)referencing for the handle right or
if I have some fundamental misunderstanding here.
Does someone have a clue what's wrong?

Thank you in advance and best regards,
Torsten
-- 
  Gentlemen, I want you to know that I am not always right, but I am
  never wrong. -Samuel Goldwyn