rkerberos 0.2.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d95bc44b05fe9b2d7d50af063944d2464a39e2387c6af3c9b8dbefd68025e94
-  data.tar.gz: 8dcdcec07fcdd598065fc7e826dda60b66a683c0cfb500aaa594fdbe5b5c3326
+  metadata.gz: 10c43a653634532f7c52f8156f9ea2c9b5646d9bdff60866f8dde301c1abe5e7
+  data.tar.gz: 99021863b149758d3231938481736878027ad99ef8b4056d3d994e0b0a8dbffb
 SHA512:
-  metadata.gz: ee3844d89f82e24b9447f67538e40f9af8d4df630c3e3da757e0ce8c3d54b1ba1d3a57d48db0c2ed4001a687dd1ccfbcb2e3c5ef6eb120b5eed5802964a47f74
-  data.tar.gz: 93003f70201a17ecbc3f158cf4fa997657ee1d25b1c28d3e3019207f3b3664d880db4d3297a8a542d54343ad4fe2f38afa607b028ea161d6bbb50a1a526f4e63
+  metadata.gz: c74926903cdbbcafe0e756189b0e5b53308fc30f4808d090d8091e92941c28f9c7e4629f61c9fb30df130990574bec809f42cfccee9d75d9b697e27e5654889f
+  data.tar.gz: 798be63f34c776a54d1ea54556edc36d965ac0149b7a04414f37b16db3439f8ea1dc8ae7d0f64a0c826c3f80d7cdea0818f5c519a2a77bac0495fa3cb4a44317

data/CHANGES.md

@@ -1,4 +1,17 @@
- = 0.2.1 - 1-Mar-2026
+# 0.2.2 - 3-Mar-2026
+* Added custom .dup methods for CredentialsCache and Keytab.
+* Added the keytab_name and keytab_type methods to Keytab.
+* Added the cache_name, cache_type and principal methods to CredentialsCache.
+* The Keytab#get_entry method now properly honors the vno and encoding type arguments.
+* Fixed the max_life and max_rlife attributes in Config.
+* Fixed the get_privileges method in Kadm5.
+* Fixed the change_password method in Kadm5 and added specs for it. Previously it would
+  generally always return true because it wasn't considering KDC failures, only raw
+  function failures.
+* Heaps of memory leak fixes. Get it? Heaps? Right, I'll see myself out.
+* Converted the CHANGES and MANIFEST files to markdown.
+
+# 0.2.1 - 1-Mar-2026
 * Added the verify_init_creds and an authenticate! methods.
 * The Context constructor now accepts optional :secure and/or :profile arguments
   for different types of contexts.
@@ -10,37 +23,37 @@
 * The rake-compiler gem is now a development dependency, not a runtime
   dependency (thanks Ondřej Gajdušek).
 
- = 0.2.0 - 14-Feb-2026
+# 0.2.0 - 14-Feb-2026
 * Added Docker and Podman support for running tests in isolated environments with Kerberos and OpenLDAP services.
 * Updated documentation with modern testing and development workflows, including container-based instructions.
 * Improved compatibility for Ruby 3.4 and later.
 * Enhanced build and test automation using docker-compose and podman-compose.
 * Various bug fixes, code cleanups, and test improvements.
 
-= 0.1.5 - 17-Oct-2016
+# 0.1.5 - 17-Oct-2016
 * Fix build error on Ruby 2.0.0/2.1 with CFLAGS concatenation
 
-= 0.1.4 - 14-Oct-2016
+# 0.1.4 - 14-Oct-2016
 * Implement db_args functionality in kadmin (fixes #8)
 * Fix a double-free error when setting the realm for a principal
 * Fix an error in policy creation that would sometimes cause a communication failure
 * Set C99 as the C Standard and fix all compiler warnings at this level
 
-= 0.1.3 - 07-Sep-2013
+# 0.1.3 - 07-Sep-2013
 * Add optional 'service' argument to get_init_creds_password (fixes #3)
 * Artistic License 2.0 text now included (fixes #2)
 
-= 0.1.2 - 24-Jun-2013
+# 0.1.2 - 24-Jun-2013
 * Fix kadm5clnt build issue on EL6
 * Remove admin_keytab references for krb5 1.11
 * Add Gemfile
 * Replace deprecated Config with RbConfig (Ruby 2)
 
-= 0.1.1 - 08-May-2013
+# 0.1.1 - 08-May-2013
 * Add credential cache argument to get_init_creds_keytab
 * Fixed invalid VALUE declarations affecting non-gcc compilers
 * Add OS X install instructions
 
-= 0.1.0 - 28-Apr-2011
+# 0.1.0 - 28-Apr-2011
 * Initial release. This is effectively a re-release of my own custom branch
   of the krb5-auth library, with some minor changes.

data/MANIFEST.md

@@ -1,16 +1,24 @@
-CHANGES.md
-rkerberos.gemspec
-MANIFEST.md
-Rakefile
-README
-ext/ccache.c
-ext/context.c
-ext/extconf.rb
-ext/kadm5.c
-ext/keytab.c
-ext/keytab_entry.c
-ext/rkerberos.c
-ext/rkerberos.h
-ext/policy.c
-ext/principal.c
-test/test_krb5.rb
+* CHANGES.md
+* rkerberos.gemspec
+* MANIFEST.md
+* Rakefile
+* README
+* ext/ccache.c
+* ext/context.c
+* ext/extconf.rb
+* ext/kadm5.c
+* ext/keytab.c
+* ext/keytab_entry.c
+* ext/rkerberos.c
+* ext/rkerberos.h
+* ext/policy.c
+* ext/principal.c
+* spec/config_spec.rb
+* spec/context_spec.rb
+* spec/credentials_spec.rb
+* spec/kadm5_spec.rb
+* spec/keytab_entry_spec.rb
+* spec/krb5_keytab_spec.rb
+* spec/krb5_spec.rb
+* spec/policy_spec.rb
+* spec/principal_spec.rb

data/Rakefile

@@ -100,7 +100,10 @@ namespace :spec do
 
     FileUtils.rm_rf('Gemfile.lock')
     begin
-      sh "#{compose} build --no-cache rkerberos-test" unless fast
+      unless fast
+        sh "#{compose} build --no-cache kerberos-kdc"
+        sh "#{compose} build --no-cache rkerberos-test"
+      end
       sh "#{compose} run --rm rkerberos-test"
     ensure
       # redirect stderr so missing-container messages don't appear

data/ext/rkerberos/ccache.c

@@ -157,6 +157,40 @@ static VALUE rkrb5_ccache_default_name(VALUE self){
   return rb_str_new2(krb5_cc_default_name(ptr->ctx));
 }
 
+// Wrapper for krb5_cc_get_name; returns the actual ccache name.
+static VALUE rkrb5_ccache_get_name(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+  const char *name;
+
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  name = krb5_cc_get_name(ptr->ctx, ptr->ccache);
+  if(!name)
+    rb_raise(cKrb5Exception, "krb5_cc_get_name returned NULL");
+
+  return rb_str_new2(name);
+}
+
+// Wrapper for krb5_cc_get_type; returns the cache type string.
+static VALUE rkrb5_ccache_get_type(VALUE self){
+  RUBY_KRB5_CCACHE* ptr;
+  const char *type;
+
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  type = krb5_cc_get_type(ptr->ctx, ptr->ccache);
+  if(!type)
+    rb_raise(cKrb5Exception, "krb5_cc_get_type returned NULL");
+
+  return rb_str_new2(type);
+}
+
 /*
  * call-seq:
  *   ccache.primary_principal
@@ -173,6 +207,11 @@ static VALUE rkrb5_ccache_primary_principal(VALUE self){
   if(!ptr->ctx)
     rb_raise(cKrb5Exception, "no context has been established");
 
+  if(ptr->principal){
+    krb5_free_principal(ptr->ctx, ptr->principal);
+    ptr->principal = NULL;
+  }
+
   kerror = krb5_cc_get_principal(ptr->ctx, ptr->ccache, &ptr->principal);
 
   if(kerror)
@@ -183,7 +222,15 @@ static VALUE rkrb5_ccache_primary_principal(VALUE self){
   if(kerror)
     rb_raise(cKrb5Exception, "krb5_unparse_name: %s", error_message(kerror));
 
-  return rb_str_new2(name);
+  VALUE v_name = rb_str_new2(name);
+  krb5_free_unparsed_name(ptr->ctx, name);
+
+  return v_name;
+}
+
+// Simple wrapper around krb5_cc_get_principal returning a principal name string.
+static VALUE rkrb5_ccache_principal(VALUE self){
+  return rkrb5_ccache_primary_principal(self);
 }
 
 /*
@@ -237,6 +284,47 @@ static VALUE rkrb5_ccache_destroy(VALUE self){
   return v_bool;
 }
 
+// Duplicate the credentials cache object.
+// call-seq:
+//   ccache.dup -> new_ccache
+//
+// Returns a new Kerberos::Krb5::CredentialsCache that references the
+// same underlying cache data. The new object has its own krb5 context so
+// that closing one cache does not affect the other.
+static VALUE rkrb5_ccache_dup(VALUE self){
+  RUBY_KRB5_CCACHE *ptr, *newptr;
+  krb5_error_code kerror;
+  VALUE newobj;
+
+  TypedData_Get_Struct(self, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, ptr);
+
+  if(!ptr->ctx)
+    rb_raise(cKrb5Exception, "no context has been established");
+
+  // allocate new ruby object and struct
+  newobj = rkrb5_ccache_allocate(CLASS_OF(self));
+  TypedData_Get_Struct(newobj, RUBY_KRB5_CCACHE, &rkrb5_ccache_data_type, newptr);
+
+  // initialize a fresh context for the duplicate
+  kerror = krb5_init_context(&newptr->ctx);
+  if(kerror){
+    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
+  }
+
+  // perform ccache duplication using the new context
+  kerror = krb5_cc_dup(newptr->ctx, ptr->ccache, &newptr->ccache);
+  if(kerror){
+    krb5_free_context(newptr->ctx);
+    newptr->ctx = NULL;
+    rb_raise(cKrb5Exception, "krb5_cc_dup: %s", error_message(kerror));
+  }
+
+  // principal is not copied; let callers query primary_principal on each
+  newptr->principal = NULL;
+
+  return newobj;
+}
+
 void Init_ccache(void){
   /* The Kerberos::Krb5::CredentialsCache class encapsulates a Kerberos credentials cache. */
   cKrb5CCache = rb_define_class_under(cKrb5, "CredentialsCache", rb_cObject);
@@ -250,8 +338,13 @@ void Init_ccache(void){
   // Instance Methods
   rb_define_method(cKrb5CCache, "close", rkrb5_ccache_close, 0);
   rb_define_method(cKrb5CCache, "default_name", rkrb5_ccache_default_name, 0);
+  rb_define_method(cKrb5CCache, "cache_name", rkrb5_ccache_get_name, 0);
+  rb_define_method(cKrb5CCache, "cache_type", rkrb5_ccache_get_type, 0);
   rb_define_method(cKrb5CCache, "destroy", rkrb5_ccache_destroy, 0);
   rb_define_method(cKrb5CCache, "primary_principal", rkrb5_ccache_primary_principal, 0);
+  rb_define_method(cKrb5CCache, "principal", rkrb5_ccache_principal, 0);
+  rb_define_method(cKrb5CCache, "dup", rkrb5_ccache_dup, 0);
+  rb_define_alias(cKrb5CCache, "clone", "dup");
 
   // Aliases
   rb_define_alias(cKrb5CCache, "delete", "destroy");

data/ext/rkerberos/config.c

@@ -263,12 +263,12 @@ static VALUE rkadm5_config_inspect(VALUE self){
   rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@mkey_from_kbd")));
   rb_str_buf_cat2(v_str, " ");
 
-  rb_str_buf_cat2(v_str, "maxlife=");
-  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@maxlife")));
+  rb_str_buf_cat2(v_str, "max_life=");
+  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@max_life")));
   rb_str_buf_cat2(v_str, " ");
 
-  rb_str_buf_cat2(v_str, "maxrlife=");
-  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@maxrlife")));
+  rb_str_buf_cat2(v_str, "max_rlife=");
+  rb_str_buf_append(v_str, rb_inspect(rb_iv_get(self, "@max_rlife")));
   rb_str_buf_cat2(v_str, " ");
 
   rb_str_buf_cat2(v_str, "num_keysalts=");

data/ext/rkerberos/kadm5.c

@@ -8,6 +8,7 @@ VALUE cKadm5PrincipalNotFoundException;
 
 // Prototype
 static VALUE rkadm5_close(VALUE);
+static void free_tl_data(krb5_tl_data *);
 char** parse_db_args(VALUE v_db_args);
 void add_db_args(kadm5_principal_ent_rec*, char**);
 void add_tl_data(krb5_int16 *, krb5_tl_data **,
@@ -18,6 +19,8 @@ void add_tl_data(krb5_int16 *, krb5_tl_data **,
 static void rkadm5_typed_free(void *ptr) {
   if (!ptr) return;
   RUBY_KADM5 *k = (RUBY_KADM5 *)ptr;
+  if (k->handle)
+    kadm5_destroy(k->handle);
   if (k->princ)
     krb5_free_principal(k->ctx, k->princ);
   if (k->ctx)
@@ -72,6 +75,7 @@ static VALUE rkadm5_initialize(VALUE self, VALUE v_opts){
   char* pass = NULL;
   char* keytab = NULL;
   char* service = NULL;
+  char default_keytab_name[MAX_KEYTAB_NAME_LEN];
   krb5_error_code kerror;
 
   TypedData_Get_Struct(self, RUBY_KADM5, &rkadm5_data_type, ptr);
@@ -126,14 +130,12 @@ static VALUE rkadm5_initialize(VALUE self, VALUE v_opts){
   // The docs say I can use NULL to get the default, but reality appears to be otherwise.
   if(RTEST(v_keytab)){
     if(TYPE(v_keytab) == T_TRUE){
-      char default_name[MAX_KEYTAB_NAME_LEN];
-
-      kerror = krb5_kt_default_name(ptr->ctx, default_name, MAX_KEYTAB_NAME_LEN);
+      kerror = krb5_kt_default_name(ptr->ctx, default_keytab_name, MAX_KEYTAB_NAME_LEN);
 
       if(kerror)
         rb_raise(cKrb5Exception, "krb5_kt_default_name: %s", error_message(kerror));
 
-      keytab = default_name;
+      keytab = default_keytab_name;
     }
     else{
       Check_Type(v_keytab, T_STRING);
@@ -206,6 +208,11 @@ static VALUE rkadm5_set_password(VALUE self, VALUE v_user, VALUE v_pass){
   if(!ptr->ctx)
     rb_raise(cKadm5Exception, "no context has been established");
 
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
   kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
 
   if(kerror)
@@ -239,6 +246,11 @@ static VALUE rkadm5_set_pwexpire(VALUE self, VALUE v_user, VALUE v_pwexpire){
   if(!ptr->ctx)
     rb_raise(cKadm5Exception, "no context has been established");
 
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
   kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
 
   if(kerror)
@@ -258,6 +270,8 @@ static VALUE rkadm5_set_pwexpire(VALUE self, VALUE v_user, VALUE v_pwexpire){
   ent.pw_expiration=pwexpire;
   kerror = kadm5_modify_principal(ptr->handle, &ent, KADM5_PW_EXPIRATION);
 
+  kadm5_free_principal_ent(ptr->handle, &ent);
+
   if(kerror)
     rb_raise(cKadm5Exception, "kadm5_set_pwexpire: %s", error_message(kerror));
 
@@ -307,15 +321,21 @@ static VALUE rkadm5_create_principal(int argc, VALUE* argv, VALUE self){
 
   kerror = krb5_parse_name(ptr->ctx, user, &princ.principal);
 
-  if(kerror)
+  if(kerror){
+    free_tl_data(princ.tl_data);
     rb_raise(cKadm5Exception, "krb5_parse_name: %s", error_message(kerror));
+  }
 
   kerror = kadm5_create_principal(ptr->handle, &princ, mask, pass);
 
-  if(kerror)
+  if(kerror){
+    krb5_free_principal(ptr->ctx, princ.principal);
+    free_tl_data(princ.tl_data);
     rb_raise(cKadm5Exception, "kadm5_create_principal: %s", error_message(kerror));
+  }
 
   krb5_free_principal(ptr->ctx, princ.principal);
+  free_tl_data(princ.tl_data);
 
   return self;
 }
@@ -337,6 +357,11 @@ static VALUE rkadm5_delete_principal(VALUE self, VALUE v_user){
   if(!ptr->ctx)
     rb_raise(cKadm5Exception, "no context has been established");
 
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
   kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
 
   if(kerror)
@@ -364,15 +389,15 @@ static VALUE rkadm5_close(VALUE self){
   RUBY_KADM5* ptr;
   TypedData_Get_Struct(self, RUBY_KADM5, &rkadm5_data_type, ptr);
 
+  if(ptr->handle)
+    kadm5_destroy(ptr->handle);
+
   if(ptr->princ)
     krb5_free_principal(ptr->ctx, ptr->princ);
 
   if(ptr->ctx)
     krb5_free_context(ptr->ctx);
 
-  if(ptr->handle)
-    kadm5_destroy(ptr->handle);
-
   free(ptr->db_args);
 
   ptr->db_args = NULL;
@@ -405,10 +430,10 @@ static VALUE create_principal_from_entry(VALUE v_name, RUBY_KADM5* ptr, kadm5_pr
   if(ent->last_failed)
     rb_iv_set(v_principal, "@last_failed", rb_time_new(ent->last_failed, 0));
 
-  if(ent->last_failed)
+  if(ent->last_pwd_change)
     rb_iv_set(v_principal, "@last_password_change", rb_time_new(ent->last_pwd_change, 0));
 
-  if(ent->last_failed)
+  if(ent->last_success)
     rb_iv_set(v_principal, "@last_success", rb_time_new(ent->last_success, 0));
 
   rb_iv_set(v_principal, "@max_life", LONG2FIX(ent->max_life));
@@ -425,6 +450,7 @@ static VALUE create_principal_from_entry(VALUE v_name, RUBY_KADM5* ptr, kadm5_pr
       rb_raise(cKadm5Exception, "krb5_unparse_name: %s", error_message(kerror));
 
     rb_iv_set(v_principal, "@mod_name", rb_str_new2(mod_name));
+    krb5_free_unparsed_name(ptr->ctx, mod_name);
   }
 
   if(ent->pw_expiration)
@@ -464,6 +490,11 @@ static VALUE rkadm5_find_principal(VALUE self, VALUE v_user){
   if(!ptr->ctx)
     rb_raise(cKadm5Exception, "no context has been established");
 
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
   kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
 
   if(kerror)
@@ -487,6 +518,7 @@ static VALUE rkadm5_find_principal(VALUE self, VALUE v_user){
   }
   else{
     v_principal = create_principal_from_entry(v_user, ptr, &ent);
+    kadm5_free_principal_ent(ptr->handle, &ent);
   }
 
   return v_principal;
@@ -520,6 +552,11 @@ static VALUE rkadm5_get_principal(VALUE self, VALUE v_user){
   if(!ptr->ctx)
     rb_raise(cKadm5Exception, "no context has been established");
 
+  if(ptr->princ){
+    krb5_free_principal(ptr->ctx, ptr->princ);
+    ptr->princ = NULL;
+  }
+
   kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
 
   if(kerror)
@@ -543,6 +580,8 @@ static VALUE rkadm5_get_principal(VALUE self, VALUE v_user){
 
   v_principal = create_principal_from_entry(v_user, ptr, &ent);
 
+  kadm5_free_principal_ent(ptr->handle, &ent);
+
   return v_principal;
 }
 
@@ -609,7 +648,7 @@ static VALUE rkadm5_create_policy(VALUE self, VALUE v_policy){
 
   if(RTEST(v_history_num)){
     mask |= KADM5_PW_HISTORY_NUM;
-    ent.pw_max_life = NUM2LONG(v_history_num);
+    ent.pw_history_num = NUM2LONG(v_history_num);
   }
 
   kerror = kadm5_create_policy(ptr->handle, &ent, mask);
@@ -694,6 +733,8 @@ static VALUE rkadm5_get_policy(VALUE self, VALUE v_name){
     v_arg[0] = v_hash;
 
     v_policy = rb_class_new_instance(1, v_arg, cKadm5Policy);
+
+    kadm5_free_policy_ent(ptr->handle, &ent);
   }
 
   return v_policy;
@@ -749,6 +790,8 @@ static VALUE rkadm5_find_policy(VALUE self, VALUE v_name){
     v_arg[0] = v_hash;
 
     v_policy = rb_class_new_instance(1, v_arg, cKadm5Policy);
+
+    kadm5_free_policy_ent(ptr->handle, &ent);
   }
 
   return v_policy;
@@ -906,15 +949,14 @@ static VALUE rkadm5_get_principals(int argc, VALUE* argv, VALUE self){
  * KADM5_PRIV_ADD    (0x02) => "ADD"
  * KADM5_PRIV_MODIFY (0x04) => "MODIFY"
  * KADM5_PRIV_DELETE (0x08) => "DELETE"
+ *
  */
 static VALUE rkadm5_get_privs(int argc, VALUE* argv, VALUE self){
   RUBY_KADM5* ptr;
   VALUE v_return = Qnil;
   VALUE v_strings = Qfalse;
   kadm5_ret_t kerror;
-  unsigned int i;
   long privs;
-  int result = 0;
 
   TypedData_Get_Struct(self, RUBY_KADM5, &rkadm5_data_type, ptr);
 
@@ -928,31 +970,17 @@ static VALUE rkadm5_get_privs(int argc, VALUE* argv, VALUE self){
   if(RTEST(v_strings)){
     v_return = rb_ary_new();
 
-    for(i = 0; i < sizeof(privs); i++){
-      result |= (privs & 1 << i);
-      switch(privs & 1 << i){
-        case KADM5_PRIV_GET:
-          rb_ary_push(v_return, rb_str_new2("GET"));
-          break;
-        case KADM5_PRIV_ADD:
-          rb_ary_push(v_return, rb_str_new2("ADD"));
-          break;
-        case KADM5_PRIV_MODIFY:
-          rb_ary_push(v_return, rb_str_new2("MODIFY"));
-          break;
-        case KADM5_PRIV_DELETE:
-          rb_ary_push(v_return, rb_str_new2("DELETE"));
-          break;
-        default:
-          rb_ary_push(v_return, rb_str_new2("UNKNOWN"));
-      };
-    }
+    if(privs & KADM5_PRIV_GET)
+      rb_ary_push(v_return, rb_str_new2("GET"));
+    if(privs & KADM5_PRIV_ADD)
+      rb_ary_push(v_return, rb_str_new2("ADD"));
+    if(privs & KADM5_PRIV_MODIFY)
+      rb_ary_push(v_return, rb_str_new2("MODIFY"));
+    if(privs & KADM5_PRIV_DELETE)
+      rb_ary_push(v_return, rb_str_new2("DELETE"));
   }
   else{
-    for(i = 0; i < sizeof(privs); i++){
-      result |= (privs & 1 << i);
-    }
-    v_return = INT2FIX(result);
+    v_return = LONG2FIX(privs);
   }
 
   return v_return;
@@ -987,13 +1015,16 @@ static VALUE rkadm5_randkey_principal(VALUE self, VALUE v_user){
 
   kerror = kadm5_randkey_principal(ptr->handle, princ, &keys, &n_keys);
 
-  if(kerror)
+  if(kerror){
+    krb5_free_principal(ptr->ctx, princ);
     rb_raise(cKadm5Exception, "kadm5_randkey_principal: %s (%li)", error_message(kerror), kerror);
+  }
 
   for(i = 0; i < n_keys; i++)
     krb5_free_keyblock_contents(ptr->ctx, &keys[i]);
 
   free(keys);
+  krb5_free_principal(ptr->ctx, princ);
 
   return INT2NUM(n_keys);
 }
@@ -1014,7 +1045,7 @@ char** parse_db_args(VALUE v_db_args){
     case T_ARRAY:
       // Multiple arguments
       array_length = RARRAY_LEN(v_db_args);
-      db_args = (char **) malloc(array_length * sizeof(char *) + 1);
+      db_args = (char **) malloc((array_length + 1) * sizeof(char *));
       for(long i = 0; i < array_length; ++i){
         VALUE elem = rb_ary_entry(v_db_args, i);
         Check_Type(elem, T_STRING);
@@ -1046,6 +1077,15 @@ void add_db_args(kadm5_principal_ent_rec* entry, char** db_args){
 /**
  * Source code taken from kadmin source code at https://github.com/krb5/krb5/blob/master/src/kadmin/cli/kadmin.c
  */
+static void free_tl_data(krb5_tl_data *tl){
+  while(tl){
+    krb5_tl_data *next = tl->tl_data_next;
+    free(tl->tl_data_contents);
+    free(tl);
+    tl = next;
+  }
+}
+
 void add_tl_data(krb5_int16 *n_tl_datap, krb5_tl_data **tl_datap,
   krb5_int16 tl_type, krb5_ui_2 len, krb5_octet *contents){
   krb5_tl_data* tl_data;