The merge of Luke's code in r21690 changed krb5_dbekd_encrypt_key_data into a virtual function indirecting through lib_handle. This breaks kdb_ldap_util, which uses a dal_handle with a NULL lib_handle and makes direct calls to libkdb_ldap and (formerly) non-virtual functions in libkdb. The reason for using this faked-up dal_handle is that there is possibly no valid LDAP back end to open. Sam's opinion is that the best fix is to expose kdb_setup_lib_handle, thus allowing kdb5_util to set up a dal_handle with a valid lib_handle (and then fill in the db_context itself, as it does now). There is also the option of using a krb5_db_create or krb5_db_open depending on the kdap_ldap_util operation, and adjust the code accordingly.