summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2009-11-27 15:52:57 +0100
committerGünther Deschner <gd@samba.org>2009-11-27 16:36:00 +0100
commit04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15 (patch)
tree5ec206577ccfe1626198427d757b993c3a21f475 /source3
parent23d77be6cb8847cbdad859269faf59fea30b27b8 (diff)
downloadsamba-04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15.tar.gz
samba-04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15.tar.bz2
samba-04f8c229de7ffad5f4ec1a0bb68c2c8b4ccf4e15.zip
s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
Diffstat (limited to 'source3')
-rw-r--r--source3/configure.in5
-rw-r--r--source3/include/ads.h71
-rw-r--r--source3/include/includes.h170
-rw-r--r--source3/include/krb5_protos.h148
-rw-r--r--source3/include/smb_krb5.h72
-rw-r--r--source3/libads/ads_status.c1
-rw-r--r--source3/libads/authdata.c1
-rw-r--r--source3/libads/kerberos.c1
-rw-r--r--source3/libads/kerberos_keytab.c1
-rw-r--r--source3/libads/kerberos_verify.c1
-rw-r--r--source3/libads/krb5_errs.c1
-rw-r--r--source3/libads/krb5_setpw.c1
-rw-r--r--source3/libnet/libnet.h1
-rw-r--r--source3/libsmb/cliconnect.c1
-rw-r--r--source3/libsmb/clikrb5.c4
-rw-r--r--source3/libsmb/clispnego.c1
-rw-r--r--source3/rpc_client/cli_pipe.c1
-rw-r--r--source3/utils/ntlm_auth.c1
-rw-r--r--source3/winbindd/winbindd_cred_cache.c2
-rw-r--r--source3/winbindd/winbindd_pam.c1
20 files changed, 256 insertions, 229 deletions
diff --git a/source3/configure.in b/source3/configure.in
index 693fe6a061..95e91c2eee 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3375,10 +3375,7 @@ if test x"$with_ads_support" != x"no"; then
samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER=no)])
if test x"$samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER" = x"yes"; then
- AC_DEFINE(KRB5_DEPRECATED, 1,
- [Whether to use deprecated krb5 interfaces])
- else
- AC_DEFINE(KRB5_DEPRECATED,,
+ AC_DEFINE(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER, 1,
[Whether to use deprecated krb5 interfaces])
fi
fi
diff --git a/source3/include/ads.h b/source3/include/ads.h
index 30f0b1fc0c..d0bae80845 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -8,6 +8,24 @@
#include "../libds/common/flags.h"
+/*
+ * This should be under the HAVE_KRB5 flag but since they're used
+ * in lp_kerberos_method(), they ned to be always available
+ */
+#define KERBEROS_VERIFY_SECRETS 0
+#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1
+#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2
+#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3
+
+/*
+ * If you add any entries to the above, please modify the below expressions
+ * so they remain accurate.
+ */
+#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method())
+#define USE_SYSTEM_KEYTAB \
+ ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \
+ (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method()))
+
#define TOK_ID_KRB_AP_REQ ((const uint8_t *)"\x01\x00")
#define TOK_ID_KRB_AP_REP ((const uint8_t *)"\x02\x00")
#define TOK_ID_KRB_ERROR ((const uint8_t *)"\x03\x00")
@@ -226,62 +244,9 @@ typedef void **ADS_MODLIST;
/* Kerberos environment variable names */
#define KRB5_ENV_CCNAME "KRB5CCNAME"
-/* Heimdal uses a slightly different name */
-#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
-#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
-#endif
-
-/* The older versions of heimdal that don't have this
- define don't seem to use it anyway. I'm told they
- always use a subkey */
-#ifndef HAVE_AP_OPTS_USE_SUBKEY
-#define AP_OPTS_USE_SUBKEY 0
-#endif
-
#define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD"
#define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD"
-#ifndef KRB5_ADDR_NETBIOS
-#define KRB5_ADDR_NETBIOS 0x14
-#endif
-
-#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
-#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
-#endif
-
-#ifdef HAVE_KRB5
-typedef struct {
-#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
- krb5_address **addrs;
-#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
- krb5_addresses *addrs;
-#else
-#error UNKNOWN_KRB5_ADDRESS_TYPE
-#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
-} smb_krb5_addresses;
-
-#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
-#define KRB5_KEY_TYPE(k) ((k)->keytype)
-#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
-#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
-#define KRB5_KEY_DATA_CAST void
-#else /* MIT */
-#define KRB5_KEY_TYPE(k) ((k)->enctype)
-#define KRB5_KEY_LENGTH(k) ((k)->length)
-#define KRB5_KEY_DATA(k) ((k)->contents)
-#define KRB5_KEY_DATA_CAST krb5_octet
-#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
-
-#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
-#define KRB5_KT_KEY(k) (&(k)->key)
-#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
-#define KRB5_KT_KEY(k) (&(k)->keyblock)
-#else
-#error krb5_keytab_entry has no key or keyblock member
-#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
-
-#endif /* HAVE_KRB5 */
-
enum ads_extended_dn_flags {
ADS_EXTENDED_DN_HEX_STRING = 0,
ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */
diff --git a/source3/include/includes.h b/source3/include/includes.h
index 438b346445..37cb611a91 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -20,11 +20,6 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-/* work around broken krb5.h on sles9 */
-#ifdef SIZEOF_LONG
-#undef SIZEOF_LONG
-#endif
-
#include "../replace/replace.h"
/* make sure we have included the correct config.h */
@@ -146,9 +141,7 @@
#endif
#endif /* HAVE_NETGROUP */
-#if HAVE_KRB5_H
-#include <krb5.h>
-#else
+#ifndef HAVE_KRB5_H
#undef HAVE_KRB5
#endif
@@ -929,167 +922,6 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT
#define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */
#endif
-/*
- * This should be under the HAVE_KRB5 flag but since they're used
- * in lp_kerberos_method(), they ned to be always available
- */
-#define KERBEROS_VERIFY_SECRETS 0
-#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1
-#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2
-#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3
-
-/*
- * If you add any entries to the above, please modify the below expressions
- * so they remain accurate.
- */
-#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method())
-#define USE_SYSTEM_KEYTAB \
- ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \
- (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method()))
-
-#if defined(HAVE_KRB5)
-krb5_error_code smb_krb5_parse_name(krb5_context context,
- const char *name, /* in unix charset */
- krb5_principal *principal);
-
-krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
- krb5_context context,
- krb5_const_principal principal,
- char **unix_name);
-
-#ifndef HAVE_KRB5_SET_REAL_TIME
-krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
-#endif
-
-krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
-
-#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
-krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
-#endif
-
-#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
-void krb5_free_unparsed_name(krb5_context ctx, char *val);
-#endif
-
-/* Stub out initialize_krb5_error_table since it is not present in all
- * Kerberos implementations. If it's not present, it's not necessary to
- * call it.
- */
-#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
-#define initialize_krb5_error_table()
-#endif
-
-/* Samba wrapper function for krb5 functionality. */
-bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
-int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
-bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
-krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
-krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
-#if defined(HAVE_KRB5_LOCATE_KDC)
-krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
-#endif
-krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
-bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
-krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
-krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
-void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
-bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
-void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
-NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
- DATA_BLOB *pac_data_blob,
- krb5_context context,
- krb5_keyblock *service_keyblock,
- krb5_const_principal client_principal,
- time_t tgs_authtime,
- struct PAC_DATA **pac_data_out);
-void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
- struct PAC_SIGNATURE_DATA *sig);
-krb5_error_code smb_krb5_verify_checksum(krb5_context context,
- const krb5_keyblock *keyblock,
- krb5_keyusage usage,
- krb5_checksum *cksum,
- uint8 *data,
- size_t length);
-time_t get_authtime_from_tkt(krb5_ticket *tkt);
-void smb_krb5_free_ap_req(krb5_context context,
- krb5_ap_req *ap_req);
-krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
- const krb5_data *inbuf,
- krb5_kvno *kvno,
- krb5_enctype *enctype);
-krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
- krb5_auth_context *auth_context,
- const krb5_data *inbuf,
- krb5_const_principal server,
- krb5_keytab keytab,
- krb5_flags *ap_req_options,
- krb5_ticket **ticket,
- krb5_keyblock **keyblock);
-krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
- const char *name,
- krb5_principal *principal);
-bool smb_krb5_principal_compare_any_realm(krb5_context context,
- krb5_const_principal princ1,
- krb5_const_principal princ2);
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
- uint32 extra_ap_opts, const char *ccname,
- time_t *tgs_expire,
- const char *impersonate_princ_s);
-krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
-krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
-krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
-krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
-NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
-krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
-void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
-krb5_error_code handle_krberror_packet(krb5_context context,
- krb5_data *packet);
-
-void smb_krb5_get_init_creds_opt_free(krb5_context context,
- krb5_get_init_creds_opt *opt);
-krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
- krb5_get_init_creds_opt **opt);
-krb5_error_code smb_krb5_mk_error(krb5_context context,
- krb5_error_code error_code,
- const krb5_principal server,
- krb5_data *reply);
-krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
-krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
- krb5_enctype enctype,
- char **etype_s);
-krb5_error_code smb_krb5_open_keytab(krb5_context context,
- const char *keytab_name,
- bool write_access,
- krb5_keytab *keytab);
-krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
- krb5_context context,
- krb5_keytab keytab,
- const char **keytab_name);
-int smb_krb5_kt_add_entry_ext(krb5_context context,
- krb5_keytab keytab,
- krb5_kvno kvno,
- const char *princ_s,
- krb5_enctype *enctypes,
- krb5_data password,
- bool no_salt,
- bool keep_old_entries);
-krb5_error_code smb_krb5_get_credentials(krb5_context context,
- krb5_ccache ccache,
- krb5_principal me,
- krb5_principal server,
- krb5_principal impersonate_princ,
- krb5_creds **out_creds);
-krb5_error_code smb_krb5_get_creds(const char *server_s,
- time_t time_offset,
- const char *cc,
- const char *impersonate_princ_s,
- krb5_creds **creds_p);
-char *smb_krb5_principal_get_realm(krb5_context context,
- krb5_principal principal);
-#endif /* HAVE_KRB5 */
-
-
#ifdef HAVE_LDAP
/* function declarations not included in proto.h */
diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h
new file mode 100644
index 0000000000..4f8521b167
--- /dev/null
+++ b/source3/include/krb5_protos.h
@@ -0,0 +1,148 @@
+/* work around broken krb5.h on sles9 */
+#ifdef SIZEOF_LONG
+#undef SIZEOF_LONG
+#endif
+
+
+#if defined(HAVE_KRB5)
+krb5_error_code smb_krb5_parse_name(krb5_context context,
+ const char *name, /* in unix charset */
+ krb5_principal *principal);
+
+krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_const_principal principal,
+ char **unix_name);
+
+#ifndef HAVE_KRB5_SET_REAL_TIME
+krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
+#endif
+
+krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
+#endif
+
+#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
+void krb5_free_unparsed_name(krb5_context ctx, char *val);
+#endif
+
+/* Stub out initialize_krb5_error_table since it is not present in all
+ * Kerberos implementations. If it's not present, it's not necessary to
+ * call it.
+ */
+#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
+#define initialize_krb5_error_table()
+#endif
+
+/* Samba wrapper function for krb5 functionality. */
+bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
+int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
+bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
+krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
+krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+#if defined(HAVE_KRB5_LOCATE_KDC)
+krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+#endif
+krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
+bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
+krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
+void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
+bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
+void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
+NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *pac_data_blob,
+ krb5_context context,
+ krb5_keyblock *service_keyblock,
+ krb5_const_principal client_principal,
+ time_t tgs_authtime,
+ struct PAC_DATA **pac_data_out);
+void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
+ struct PAC_SIGNATURE_DATA *sig);
+krb5_error_code smb_krb5_verify_checksum(krb5_context context,
+ const krb5_keyblock *keyblock,
+ krb5_keyusage usage,
+ krb5_checksum *cksum,
+ uint8 *data,
+ size_t length);
+time_t get_authtime_from_tkt(krb5_ticket *tkt);
+void smb_krb5_free_ap_req(krb5_context context,
+ krb5_ap_req *ap_req);
+krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
+ const krb5_data *inbuf,
+ krb5_kvno *kvno,
+ krb5_enctype *enctype);
+krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
+ krb5_auth_context *auth_context,
+ const krb5_data *inbuf,
+ krb5_const_principal server,
+ krb5_keytab keytab,
+ krb5_flags *ap_req_options,
+ krb5_ticket **ticket,
+ krb5_keyblock **keyblock);
+krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
+ const char *name,
+ krb5_principal *principal);
+bool smb_krb5_principal_compare_any_realm(krb5_context context,
+ krb5_const_principal princ1,
+ krb5_const_principal princ2);
+int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+ uint32 extra_ap_opts, const char *ccname,
+ time_t *tgs_expire,
+ const char *impersonate_princ_s);
+krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
+krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
+krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
+krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
+NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
+krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
+void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
+krb5_error_code handle_krberror_packet(krb5_context context,
+ krb5_data *packet);
+
+void smb_krb5_get_init_creds_opt_free(krb5_context context,
+ krb5_get_init_creds_opt *opt);
+krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
+ krb5_get_init_creds_opt **opt);
+krb5_error_code smb_krb5_mk_error(krb5_context context,
+ krb5_error_code error_code,
+ const krb5_principal server,
+ krb5_data *reply);
+krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
+krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
+ krb5_enctype enctype,
+ char **etype_s);
+krb5_error_code smb_krb5_open_keytab(krb5_context context,
+ const char *keytab_name,
+ bool write_access,
+ krb5_keytab *keytab);
+krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ krb5_keytab keytab,
+ const char **keytab_name);
+int smb_krb5_kt_add_entry_ext(krb5_context context,
+ krb5_keytab keytab,
+ krb5_kvno kvno,
+ const char *princ_s,
+ krb5_enctype *enctypes,
+ krb5_data password,
+ bool no_salt,
+ bool keep_old_entries);
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+ krb5_ccache ccache,
+ krb5_principal me,
+ krb5_principal server,
+ krb5_principal impersonate_princ,
+ krb5_creds **out_creds);
+krb5_error_code smb_krb5_get_creds(const char *server_s,
+ time_t time_offset,
+ const char *cc,
+ const char *impersonate_princ_s,
+ krb5_creds **creds_p);
+char *smb_krb5_principal_get_realm(krb5_context context,
+ krb5_principal principal);
+#endif /* HAVE_KRB5 */
+
diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
new file mode 100644
index 0000000000..3e5c86268a
--- /dev/null
+++ b/source3/include/smb_krb5.h
@@ -0,0 +1,72 @@
+#ifndef _HEADER_smb_krb5_h
+#define _HEADER_smb_krb5_h
+
+#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
+/* this file uses DEPRECATED interfaces! */
+
+#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
+#define KRB5_DEPRECATED 1
+#else
+#define KRB5_DEPRECATED
+#endif
+
+#if HAVE_KRB5_H
+#include <krb5.h>
+#endif
+
+#ifndef KRB5_ADDR_NETBIOS
+#define KRB5_ADDR_NETBIOS 0x14
+#endif
+
+#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
+#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
+#endif
+
+/* Heimdal uses a slightly different name */
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
+#endif
+
+/* The older versions of heimdal that don't have this
+ define don't seem to use it anyway. I'm told they
+ always use a subkey */
+#ifndef HAVE_AP_OPTS_USE_SUBKEY
+#define AP_OPTS_USE_SUBKEY 0
+#endif
+
+#ifdef HAVE_KRB5
+typedef struct {
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+ krb5_address **addrs;
+#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
+ krb5_addresses *addrs;
+#else
+#error UNKNOWN_KRB5_ADDRESS_TYPE
+#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
+} smb_krb5_addresses;
+
+#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
+#define KRB5_KEY_TYPE(k) ((k)->keytype)
+#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
+#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
+#define KRB5_KEY_DATA_CAST void
+#else /* MIT */
+#define KRB5_KEY_TYPE(k) ((k)->enctype)
+#define KRB5_KEY_LENGTH(k) ((k)->length)
+#define KRB5_KEY_DATA(k) ((k)->contents)
+#define KRB5_KEY_DATA_CAST krb5_octet
+#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+
+#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
+#define KRB5_KT_KEY(k) (&(k)->key)
+#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
+#define KRB5_KT_KEY(k) (&(k)->keyblock)
+#else
+#error krb5_keytab_entry has no key or keyblock member
+#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
+
+#endif /* HAVE_KRB5 */
+
+#include "krb5_protos.h"
+
+#endif /* _HEADER_smb_krb5_h */
diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c
index 29148e8543..6680766f23 100644
--- a/source3/libads/ads_status.c
+++ b/source3/libads/ads_status.c
@@ -21,6 +21,7 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
/*
build a ADS_STATUS structure
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index ef5400654e..35d5ef9f31 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -24,6 +24,7 @@
#include "includes.h"
#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "smb_krb5.h"
#ifdef HAVE_KRB5
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 89357b01fb..af8ea39370 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -22,6 +22,7 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
#ifdef HAVE_KRB5
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 4fede259ab..fa2a1261a2 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -26,6 +26,7 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
#ifdef HAVE_KRB5
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 8502902963..bf9bca6311 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -24,6 +24,7 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
#ifdef HAVE_KRB5
diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c
index 0e03ebb90d..d4ff09a510 100644
--- a/source3/libads/krb5_errs.c
+++ b/source3/libads/krb5_errs.c
@@ -18,6 +18,7 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
#ifdef HAVE_KRB5
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 7cdfbc58a4..ec5cafc49d 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -19,6 +19,7 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
#ifdef HAVE_KRB5
diff --git a/source3/libnet/libnet.h b/source3/libnet/libnet.h
index 570009c6f6..86eb9d050c 100644
--- a/source3/libnet/libnet.h
+++ b/source3/libnet/libnet.h
@@ -20,6 +20,7 @@
#ifndef __LIBNET_H__
#define __LIBNET_H__
+#include "smb_krb5.h"
#include "libnet/libnet_keytab.h"
#include "libnet/libnet_samsync.h"
#include "libnet/libnet_dssync.h"
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 2535de2847..112143ca96 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -21,6 +21,7 @@
#include "includes.h"
#include "../libcli/auth/libcli_auth.h"
#include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
static const struct {
int prot;
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 3dc8c64ba9..0839b434c1 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -20,10 +20,8 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
-/* this file uses DEPRECATED interfaces! */
-
#include "includes.h"
+#include "smb_krb5.h"
#ifdef HAVE_KRB5
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 3789fbf6b8..264743b2a6 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -21,6 +21,7 @@
#include "includes.h"
#include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
/*
generate a negTokenInit packet given a GUID, a list of supported
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 5bfcba3443..23f002ceeb 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -22,6 +22,7 @@
#include "../librpc/gen_ndr/ndr_schannel.h"
#include "../libcli/auth/schannel.h"
#include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_CLI
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 6e813f458c..87df3c6160 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -27,6 +27,7 @@
#include "utils/ntlm_auth.h"
#include "../libcli/auth/libcli_auth.h"
#include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
#include <iniparser.h>
#ifndef PAM_WINBIND_CONFIG_FILE
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index f11f75762d..e63e73221e 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -24,6 +24,8 @@
#include "includes.h"
#include "winbindd.h"
#include "../libcli/auth/libcli_auth.h"
+#include "smb_krb5.h"
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3117533f31..357b6463d5 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -26,6 +26,7 @@
#include "winbindd.h"
#include "../libcli/auth/libcli_auth.h"
#include "../librpc/gen_ndr/cli_samr.h"
+#include "smb_krb5.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND