I think the problem is in krb5_ldap_read_policy() in ldap_tkt_policy.c, where it makes three calls to krb5_ldap_get_value() and casts from long * to int * for the return parameter. On a big-endian LP64 platform, the 32-bit result gets written into the high 32 bits of the field. There are some other unsafe uses of krb5_ldap_get_value() which cast from int32_t * to int *, but those aren't likely to cause a practical issue since there aren't any common platforms where int isn't 32 bits. We should probably fix those when we fix the bug, though. We do have a big-endian nightly build machine running Solaris, but it doesn't test LDAP functionality for lack of dependencies. It will take a bit to spin up an LDAP environment on that machine to test the fix with.