Heads up: kadm5 initialization API change in 1.8

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Aug 17 15:41:00 EDT 2009

In http://mailman.mit.edu/pipermail/kerberos/2009-August/015186.html
it was noted that kadmin.local isn't printing extended error messages
under most circumstances.

This is because libkadm5 uses its own internal context inside server
handles.  My understanding is that krb5 contexts used to be considered
cheap, so it was fine to keep a bunch of them around for no reason
other than API convenience, but that's not true now that we have
extended error messages.  The presence of multiple contexts makes it
much less likely that good error information will make its way back to
the user.

In kadm5/admin.h we include the disclaimer:

 * - We may make arbitrary incompatible changes between feature
 *   releases (e.g. from 1.7 to 1.8).

Taking advantage of that liberty, I have modified all of the
kadm5_init functions on the trunk to accept a krb5_context parameter.
A comment indicates that the context must be initialized with
kadm5_init_krb5_context, that the context must survive as long as the
server handle, and that it is the caller's responsibility to free the

More information about the krbdev mailing list