s3-kerberos: only use krb5 headers where required.

This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.

Guenther

20 files changed, 256 insertions, 229 deletions

diff --git a/source3/configure.in b/source3/configure.in
index 693fe6a061..95e91c2eee 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3375,10 +3375,7 @@ if test x"$with_ads_support" != x"no"; then
       samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER=no)])
 
   if test x"$samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER" = x"yes"; then
-    AC_DEFINE(KRB5_DEPRECATED, 1,
-	       [Whether to use deprecated krb5 interfaces])
-  else
-    AC_DEFINE(KRB5_DEPRECATED,,
+    AC_DEFINE(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER, 1,
 	       [Whether to use deprecated krb5 interfaces])
   fi
 fi
diff --git a/source3/include/ads.h b/source3/include/ads.h
index 30f0b1fc0c..d0bae80845 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -8,6 +8,24 @@
 
 #include "../libds/common/flags.h"
 
+/*
+ * This should be under the HAVE_KRB5 flag but since they're used
+ * in lp_kerberos_method(), they ned to be always available
+ */
+#define KERBEROS_VERIFY_SECRETS 0
+#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1
+#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2
+#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3
+
+/*
+ * If you add any entries to the above, please modify the below expressions
+ * so they remain accurate.
+ */
+#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method())
+#define USE_SYSTEM_KEYTAB \
+    ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \
+     (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method()))
+
 #define TOK_ID_KRB_AP_REQ	((const uint8_t *)"\x01\x00")
 #define TOK_ID_KRB_AP_REP	((const uint8_t *)"\x02\x00")
 #define TOK_ID_KRB_ERROR	((const uint8_t *)"\x03\x00")
@@ -226,62 +244,9 @@ typedef void **ADS_MODLIST;
 /* Kerberos environment variable names */
 #define KRB5_ENV_CCNAME "KRB5CCNAME"
 
-/* Heimdal uses a slightly different name */
-#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
-#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
-#endif
-
-/* The older versions of heimdal that don't have this
-   define don't seem to use it anyway.  I'm told they
-   always use a subkey */
-#ifndef HAVE_AP_OPTS_USE_SUBKEY
-#define AP_OPTS_USE_SUBKEY 0
-#endif
-
 #define WELL_KNOWN_GUID_COMPUTERS	"AA312825768811D1ADED00C04FD8D5CD" 
 #define WELL_KNOWN_GUID_USERS		"A9D1CA15768811D1ADED00C04FD8D5CD"
 
-#ifndef KRB5_ADDR_NETBIOS
-#define KRB5_ADDR_NETBIOS 0x14
-#endif
-
-#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
-#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
-#endif
-
-#ifdef HAVE_KRB5
-typedef struct {
-#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
-	krb5_address **addrs;
-#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
-	krb5_addresses *addrs;
-#else
-#error UNKNOWN_KRB5_ADDRESS_TYPE
-#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
-} smb_krb5_addresses;
-
-#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
-#define KRB5_KEY_TYPE(k)	((k)->keytype)
-#define KRB5_KEY_LENGTH(k)	((k)->keyvalue.length)
-#define KRB5_KEY_DATA(k)	((k)->keyvalue.data)
-#define KRB5_KEY_DATA_CAST	void
-#else /* MIT */
-#define KRB5_KEY_TYPE(k)	((k)->enctype)
-#define KRB5_KEY_LENGTH(k)	((k)->length)
-#define KRB5_KEY_DATA(k)	((k)->contents)
-#define KRB5_KEY_DATA_CAST	krb5_octet
-#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
-
-#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY               /* MIT */
-#define KRB5_KT_KEY(k)		(&(k)->key)
-#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK          /* Heimdal */
-#define KRB5_KT_KEY(k)		(&(k)->keyblock)
-#else
-#error krb5_keytab_entry has no key or keyblock member
-#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
-
-#endif /* HAVE_KRB5 */
-
 enum ads_extended_dn_flags {
 	ADS_EXTENDED_DN_HEX_STRING	= 0,
 	ADS_EXTENDED_DN_STRING		= 1 /* not supported on win2k */
diff --git a/source3/include/includes.h b/source3/include/includes.h
index 438b346445..37cb611a91 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -20,11 +20,6 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-/* work around broken krb5.h on sles9 */
-#ifdef SIZEOF_LONG
-#undef SIZEOF_LONG
-#endif
-
 #include "../replace/replace.h"
 
 /* make sure we have included the correct config.h */
@@ -146,9 +141,7 @@
 #endif
 #endif /* HAVE_NETGROUP */
 
-#if HAVE_KRB5_H
-#include <krb5.h>
-#else
+#ifndef HAVE_KRB5_H
 #undef HAVE_KRB5
 #endif
 
@@ -929,167 +922,6 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT
 #define XATTR_REPLACE 0x2       /* set value, fail if attr does not exist */
 #endif
 
-/*
- * This should be under the HAVE_KRB5 flag but since they're used
- * in lp_kerberos_method(), they ned to be always available
- */
-#define KERBEROS_VERIFY_SECRETS 0
-#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1
-#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2
-#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3
-
-/*
- * If you add any entries to the above, please modify the below expressions
- * so they remain accurate.
- */
-#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method())
-#define USE_SYSTEM_KEYTAB \
-    ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \
-     (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method()))
-
-#if defined(HAVE_KRB5)
-krb5_error_code smb_krb5_parse_name(krb5_context context,
-				const char *name, /* in unix charset */
-                                krb5_principal *principal);
-
-krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
-				      krb5_context context,
-				      krb5_const_principal principal,
-				      char **unix_name);
-
-#ifndef HAVE_KRB5_SET_REAL_TIME
-krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
-#endif
-
-krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
-
-#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
-krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
-#endif
-
-#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
-void krb5_free_unparsed_name(krb5_context ctx, char *val);
-#endif
-
-/* Stub out initialize_krb5_error_table since it is not present in all
- * Kerberos implementations. If it's not present, it's not necessary to
- * call it.
- */
-#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
-#define initialize_krb5_error_table()
-#endif
-
-/* Samba wrapper function for krb5 functionality. */
-bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
-int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
-bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
-krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
-krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
-#if defined(HAVE_KRB5_LOCATE_KDC)
-krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
-#endif
-krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
-bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
-krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
-krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
-void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
-bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
-void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
-NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
-			 DATA_BLOB *pac_data_blob,
-			 krb5_context context,
-			 krb5_keyblock *service_keyblock,
-			 krb5_const_principal client_principal,
-			 time_t tgs_authtime,
-			 struct PAC_DATA **pac_data_out);
-void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, 
-				    struct PAC_SIGNATURE_DATA *sig);
-krb5_error_code smb_krb5_verify_checksum(krb5_context context,
-					 const krb5_keyblock *keyblock,
-					 krb5_keyusage usage,
-					 krb5_checksum *cksum,
-					 uint8 *data,
-					 size_t length);
-time_t get_authtime_from_tkt(krb5_ticket *tkt);
-void smb_krb5_free_ap_req(krb5_context context, 
-			  krb5_ap_req *ap_req);
-krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, 
-						 const krb5_data *inbuf, 
-						 krb5_kvno *kvno, 
-						 krb5_enctype *enctype);
-krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
-							krb5_auth_context *auth_context,
-							const krb5_data *inbuf,
-							krb5_const_principal server,
-							krb5_keytab keytab,
-							krb5_flags *ap_req_options,
-							krb5_ticket **ticket, 
-							krb5_keyblock **keyblock);
-krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, 
-					    const char *name, 
-					    krb5_principal *principal);
-bool smb_krb5_principal_compare_any_realm(krb5_context context, 
-					  krb5_const_principal princ1, 
-					  krb5_const_principal princ2);
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
-			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
-			uint32 extra_ap_opts, const char *ccname,
-			time_t *tgs_expire,
-			const char *impersonate_princ_s);
-krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
-krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
-krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
-krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
-NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
-krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
-void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
-krb5_error_code handle_krberror_packet(krb5_context context,
-                                         krb5_data *packet);
-
-void smb_krb5_get_init_creds_opt_free(krb5_context context,
-				    krb5_get_init_creds_opt *opt);
-krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
-				    krb5_get_init_creds_opt **opt);
-krb5_error_code smb_krb5_mk_error(krb5_context context,
-					krb5_error_code error_code,
-					const krb5_principal server,
-					krb5_data *reply);
-krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
-krb5_error_code smb_krb5_enctype_to_string(krb5_context context, 
- 					    krb5_enctype enctype, 
-					    char **etype_s);
-krb5_error_code smb_krb5_open_keytab(krb5_context context, 
- 				      const char *keytab_name, 
-				      bool write_access, 
-				      krb5_keytab *keytab);
-krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
-				     krb5_context context,
-				     krb5_keytab keytab,
-				     const char **keytab_name);
-int smb_krb5_kt_add_entry_ext(krb5_context context,
-			      krb5_keytab keytab,
-			      krb5_kvno kvno,
-			      const char *princ_s,
-			      krb5_enctype *enctypes,
-			      krb5_data password,
-			      bool no_salt,
-			      bool keep_old_entries);
-krb5_error_code smb_krb5_get_credentials(krb5_context context,
-					 krb5_ccache ccache,
-					 krb5_principal me,
-					 krb5_principal server,
-					 krb5_principal impersonate_princ,
-					 krb5_creds **out_creds);
-krb5_error_code smb_krb5_get_creds(const char *server_s,
-				   time_t time_offset,
-				   const char *cc,
-				   const char *impersonate_princ_s,
-				   krb5_creds **creds_p);
-char *smb_krb5_principal_get_realm(krb5_context context,
-				   krb5_principal principal);
-#endif /* HAVE_KRB5 */
-
-
 #ifdef HAVE_LDAP
 
 /* function declarations not included in proto.h */
diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h
new file mode 100644
index 0000000000..4f8521b167
--- /dev/null
+++ b/source3/include/krb5_protos.h
@@ -0,0 +1,148 @@
+/* work around broken krb5.h on sles9 */
+#ifdef SIZEOF_LONG
+#undef SIZEOF_LONG
+#endif
+
+
+#if defined(HAVE_KRB5)
+krb5_error_code smb_krb5_parse_name(krb5_context context,
+				const char *name, /* in unix charset */
+                                krb5_principal *principal);
+
+krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
+				      krb5_context context,
+				      krb5_const_principal principal,
+				      char **unix_name);
+
+#ifndef HAVE_KRB5_SET_REAL_TIME
+krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
+#endif
+
+krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
+#endif
+
+#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
+void krb5_free_unparsed_name(krb5_context ctx, char *val);
+#endif
+
+/* Stub out initialize_krb5_error_table since it is not present in all
+ * Kerberos implementations. If it's not present, it's not necessary to
+ * call it.
+ */
+#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
+#define initialize_krb5_error_table()
+#endif
+
+/* Samba wrapper function for krb5 functionality. */
+bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
+int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
+bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
+krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
+krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+#if defined(HAVE_KRB5_LOCATE_KDC)
+krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+#endif
+krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
+bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
+krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
+void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
+bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
+void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
+NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
+			 DATA_BLOB *pac_data_blob,
+			 krb5_context context,
+			 krb5_keyblock *service_keyblock,
+			 krb5_const_principal client_principal,
+			 time_t tgs_authtime,
+			 struct PAC_DATA **pac_data_out);
+void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
+				    struct PAC_SIGNATURE_DATA *sig);
+krb5_error_code smb_krb5_verify_checksum(krb5_context context,
+					 const krb5_keyblock *keyblock,
+					 krb5_keyusage usage,
+					 krb5_checksum *cksum,
+					 uint8 *data,
+					 size_t length);
+time_t get_authtime_from_tkt(krb5_ticket *tkt);
+void smb_krb5_free_ap_req(krb5_context context,
+			  krb5_ap_req *ap_req);
+krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
+						 const krb5_data *inbuf,
+						 krb5_kvno *kvno,
+						 krb5_enctype *enctype);
+krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
+							krb5_auth_context *auth_context,
+							const krb5_data *inbuf,
+							krb5_const_principal server,
+							krb5_keytab keytab,
+							krb5_flags *ap_req_options,
+							krb5_ticket **ticket,
+							krb5_keyblock **keyblock);
+krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
+					    const char *name,
+					    krb5_principal *principal);
+bool smb_krb5_principal_compare_any_realm(krb5_context context,
+					  krb5_const_principal princ1,
+					  krb5_const_principal princ2);
+int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+			uint32 extra_ap_opts, const char *ccname,
+			time_t *tgs_expire,
+			const char *impersonate_princ_s);
+krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
+krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
+krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
+krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
+NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
+krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
+void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
+krb5_error_code handle_krberror_packet(krb5_context context,
+                                         krb5_data *packet);
+
+void smb_krb5_get_init_creds_opt_free(krb5_context context,
+				    krb5_get_init_creds_opt *opt);
+krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
+				    krb5_get_init_creds_opt **opt);
+krb5_error_code smb_krb5_mk_error(krb5_context context,
+					krb5_error_code error_code,
+					const krb5_principal server,
+					krb5_data *reply);
+krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
+krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
+					    krb5_enctype enctype,
+					    char **etype_s);
+krb5_error_code smb_krb5_open_keytab(krb5_context context,
+				      const char *keytab_name,
+				      bool write_access,
+				      krb5_keytab *keytab);
+krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
+				     krb5_context context,
+				     krb5_keytab keytab,
+				     const char **keytab_name);
+int smb_krb5_kt_add_entry_ext(krb5_context context,
+			      krb5_keytab keytab,
+			      krb5_kvno kvno,
+			      const char *princ_s,
+			      krb5_enctype *enctypes,
+			      krb5_data password,
+			      bool no_salt,
+			      bool keep_old_entries);
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+					 krb5_ccache ccache,
+					 krb5_principal me,
+					 krb5_principal server,
+					 krb5_principal impersonate_princ,
+					 krb5_creds **out_creds);
+krb5_error_code smb_krb5_get_creds(const char *server_s,
+				   time_t time_offset,
+				   const char *cc,
+				   const char *impersonate_princ_s,
+				   krb5_creds **creds_p);
+char *smb_krb5_principal_get_realm(krb5_context context,
+				   krb5_principal principal);
+#endif /* HAVE_KRB5 */
+
diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
new file mode 100644
index 0000000000..3e5c86268a
--- /dev/null
+++ b/source3/include/smb_krb5.h
@@ -0,0 +1,72 @@
+#ifndef _HEADER_smb_krb5_h
+#define _HEADER_smb_krb5_h
+
+#define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
+/* this file uses DEPRECATED interfaces! */
+
+#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
+#define KRB5_DEPRECATED 1
+#else
+#define KRB5_DEPRECATED
+#endif
+
+#if HAVE_KRB5_H
+#include <krb5.h>
+#endif
+
+#ifndef KRB5_ADDR_NETBIOS
+#define KRB5_ADDR_NETBIOS 0x14
+#endif
+
+#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
+#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
+#endif
+
+/* Heimdal uses a slightly different name */
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
+#endif
+
+/* The older versions of heimdal that don't have this
+   define don't seem to use it anyway.  I'm told they
+   always use a subkey */
+#ifndef HAVE_AP_OPTS_USE_SUBKEY
+#define AP_OPTS_USE_SUBKEY 0
+#endif
+
+#ifdef HAVE_KRB5
+typedef struct {
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+	krb5_address **addrs;
+#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
+	krb5_addresses *addrs;
+#else
+#error UNKNOWN_KRB5_ADDRESS_TYPE
+#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
+} smb_krb5_addresses;
+
+#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
+#define KRB5_KEY_TYPE(k)	((k)->keytype)
+#define KRB5_KEY_LENGTH(k)	((k)->keyvalue.length)
+#define KRB5_KEY_DATA(k)	((k)->keyvalue.data)
+#define KRB5_KEY_DATA_CAST	void
+#else /* MIT */
+#define KRB5_KEY_TYPE(k)	((k)->enctype)
+#define KRB5_KEY_LENGTH(k)	((k)->length)
+#define KRB5_KEY_DATA(k)	((k)->contents)
+#define KRB5_KEY_DATA_CAST	krb5_octet
+#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+
+#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY               /* MIT */
+#define KRB5_KT_KEY(k)		(&(k)->key)
+#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK          /* Heimdal */
+#define KRB5_KT_KEY(k)		(&(k)->keyblock)
+#else
+#error krb5_keytab_entry has no key or keyblock member
+#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
+
+#endif /* HAVE_KRB5 */
+
+#include "krb5_protos.h"
+
+#endif /* _HEADER_smb_krb5_h */
diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c
index 29148e8543..6680766f23 100644
--- a/source3/libads/ads_status.c
+++ b/source3/libads/ads_status.c
@@ -21,6 +21,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 /*
   build a ADS_STATUS structure
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index ef5400654e..35d5ef9f31 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -24,6 +24,7 @@
 
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 89357b01fb..af8ea39370 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 4fede259ab..fa2a1261a2 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -26,6 +26,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 8502902963..bf9bca6311 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -24,6 +24,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c
index 0e03ebb90d..d4ff09a510 100644
--- a/source3/libads/krb5_errs.c
+++ b/source3/libads/krb5_errs.c
@@ -18,6 +18,7 @@
  */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 7cdfbc58a4..ec5cafc49d 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libnet/libnet.h b/source3/libnet/libnet.h
index 570009c6f6..86eb9d050c 100644
--- a/source3/libnet/libnet.h
+++ b/source3/libnet/libnet.h
@@ -20,6 +20,7 @@
 #ifndef __LIBNET_H__
 #define __LIBNET_H__
 
+#include "smb_krb5.h"
 #include "libnet/libnet_keytab.h"
 #include "libnet/libnet_samsync.h"
 #include "libnet/libnet_dssync.h"
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 2535de2847..112143ca96 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -21,6 +21,7 @@
 #include "includes.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
 
 static const struct {
 	int prot;
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 3dc8c64ba9..0839b434c1 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -20,10 +20,8 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
-/* this file uses DEPRECATED interfaces! */
-
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 3789fbf6b8..264743b2a6 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -21,6 +21,7 @@
 
 #include "includes.h"
 #include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
 
 /*
   generate a negTokenInit packet given a GUID, a list of supported
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 5bfcba3443..23f002ceeb 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -22,6 +22,7 @@
 #include "../librpc/gen_ndr/ndr_schannel.h"
 #include "../libcli/auth/schannel.h"
 #include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_CLI
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 6e813f458c..87df3c6160 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -27,6 +27,7 @@
 #include "utils/ntlm_auth.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "../libcli/auth/spnego.h"
+#include "smb_krb5.h"
 #include <iniparser.h>
 
 #ifndef PAM_WINBIND_CONFIG_FILE
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index f11f75762d..e63e73221e 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -24,6 +24,8 @@
 #include "includes.h"
 #include "winbindd.h"
 #include "../libcli/auth/libcli_auth.h"
+#include "smb_krb5.h"
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3117533f31..357b6463d5 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -26,6 +26,7 @@
 #include "winbindd.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "../librpc/gen_ndr/cli_samr.h"
+#include "smb_krb5.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND