glibc's getpwnam_r returns success even if the user wasn't found, but the result pointer is set to NULL. The Kerberos source assumes that k5_getpwnam_r will fail if the user wasn't found and dereferences OUT without any further checks. Use a technique similar to the other cases and change the status to -1 if OUT is NULL. A better approach may be to change the source to not assume success means that OUT is non-NULL, since that appears to be all POSIX guarantees. But this works.