r7270: A big revamp to the way we handle kerberos errors in Samba4. We now

fill in the function pointers to handle the logging, and catch all the
kerberos warnings. (Currently at level 3).

To avoid a memory leak, this requries a new function: krb5_freelog(),
which I've added to lorikeet/heimdal.

This also required a revamp to how we handle the krb5_context, so as
to make it easier to handle with talloc destructors.

Andrew Bartlett
(This used to be commit 63272794c41231b335b73e7ccf349282f295c4d2)

9 files changed, 167 insertions, 100 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 314f76038b..c6a16cdf33 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -43,7 +43,7 @@ struct gensec_gssapi_state {
 	DATA_BLOB session_key;
 	DATA_BLOB pac;
 
-	krb5_context krb5_context;
+	struct smb_krb5_context *smb_krb5_context;
 	krb5_ccache ccache;
 	const char *ccache_name;
 
@@ -98,9 +98,6 @@ static int gensec_gssapi_destory(void *ptr)
 	if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
 		maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
 	}
-	if (gensec_gssapi_state->krb5_context) {
-		krb5_free_context(gensec_gssapi_state->krb5_context);
-	}
 	return 0;
 }
 
@@ -129,8 +126,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	gensec_gssapi_state->session_key = data_blob(NULL, 0);
 	gensec_gssapi_state->pac = data_blob(NULL, 0);
 
-	gensec_gssapi_state->krb5_context = NULL;
-
 	gensec_gssapi_state->cred = GSS_C_NO_CREDENTIAL;
 
 	talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destory); 
@@ -161,29 +156,13 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 
 	gensec_gssapi_state->gss_oid = gss_mech_krb5;
 	
-	ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
+	ret = smb_krb5_init_context(gensec_gssapi_state, 
+				    &gensec_gssapi_state->smb_krb5_context);
 	if (ret) {
 		DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", 					
-			 smb_get_krb5_error_message(gensec_gssapi_state->krb5_context, 
-						    ret, gensec_gssapi_state)));
+			 error_message(ret)));
 		return NT_STATUS_INTERNAL_ERROR;
 	}
-	
-	if (lp_realm() && *lp_realm()) {
-		char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm());
-		if (!upper_realm) {
-			DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
-			return NT_STATUS_NO_MEMORY;
-		}
-		ret = krb5_set_default_realm(gensec_gssapi_state->krb5_context, upper_realm);
-		if (ret) {
-			DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n", 
-				 smb_get_krb5_error_message(gensec_gssapi_state->krb5_context, 
-							    ret, gensec_gssapi_state)));
-			return NT_STATUS_INTERNAL_ERROR;
-		}
-	}
-
 	return NT_STATUS_OK;
 }
 
@@ -216,7 +195,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 
 	gensec_gssapi_state = gensec_security->private_data;
 
-	name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", gensec_get_target_service(gensec_security), 
+	name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", 
+					   gensec_get_target_service(gensec_security), 
 					   gensec_get_target_hostname(gensec_security));
 	name_token.length = strlen(name_token.value);
 
@@ -231,7 +211,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security), gensec_gssapi_state),
+	name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security), 
+							 gensec_gssapi_state),
 	name_token.length = strlen(name_token.value);
 
 	maj_stat = gss_import_name (&min_stat,
@@ -249,7 +230,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 	
 	nt_status = kinit_to_ccache(gensec_gssapi_state, 
 				    gensec_get_credentials(gensec_security),
-				    gensec_gssapi_state->krb5_context, 
+				    gensec_gssapi_state->smb_krb5_context, 
 				    &gensec_gssapi_state->ccache, &gensec_gssapi_state->ccache_name);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 1ac46f3ac9..d633794e1c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -43,7 +43,7 @@ struct gensec_krb5_state {
 	DATA_BLOB session_key;
 	DATA_BLOB pac;
 	enum GENSEC_KRB5_STATE state_position;
-	krb5_context context;
+	struct smb_krb5_context *smb_krb5_context;
 	krb5_auth_context auth_context;
 	krb5_ccache ccache;
 	krb5_data ticket;
@@ -67,7 +67,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
 	cksum.checksum.data	= sig->signature;
 
 
-	ret = krb5_crypto_init(gensec_krb5_state->context,
+	ret = krb5_crypto_init(gensec_krb5_state->smb_krb5_context->krb5_context,
 				&gensec_krb5_state->keyblock,
 				0,
 				&crypto);
@@ -77,7 +77,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
 	}
 	for (i=0; i < 40; i++) {
 		keyusage = i;
-		ret = krb5_verify_checksum(gensec_krb5_state->context,
+		ret = krb5_verify_checksum(gensec_krb5_state->smb_krb5_context->krb5_context,
 					   crypto,
 					   keyusage,
 					   pac_data.data,
@@ -88,7 +88,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
 			break;
 		}
 	}
-	krb5_crypto_destroy(gensec_krb5_state->context, crypto);
+	krb5_crypto_destroy(gensec_krb5_state->smb_krb5_context->krb5_context, crypto);
 
 	if (ret) {
 		DEBUG(0,("NOT verifying PAC checksums yet!\n"));
@@ -235,22 +235,19 @@ static int gensec_krb5_destory(void *ptr)
 	struct gensec_krb5_state *gensec_krb5_state = ptr;
 
 	if (gensec_krb5_state->ticket.length) { 
-		kerberos_free_data_contents(gensec_krb5_state->context, 
+		kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context, 
 					    &gensec_krb5_state->ticket); 
 	}
 	/* ccache freed in a child destructor */
 
-	krb5_free_keyblock_contents(gensec_krb5_state->context, 
+	krb5_free_keyblock_contents(gensec_krb5_state->smb_krb5_context->krb5_context, 
 				    &gensec_krb5_state->keyblock);
 		
 	if (gensec_krb5_state->auth_context) {
-		krb5_auth_con_free(gensec_krb5_state->context, 
+		krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context, 
 				   gensec_krb5_state->auth_context);
 	}
 
-	if (gensec_krb5_state->context) {
-		krb5_free_context(gensec_krb5_state->context);
-	}
 	return 0;
 }
 
@@ -267,7 +264,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 	gensec_security->private_data = gensec_krb5_state;
 
 	initialize_krb5_error_table();
-	gensec_krb5_state->context = NULL;
 	gensec_krb5_state->auth_context = NULL;
 	gensec_krb5_state->ccache = NULL;
 	ZERO_STRUCT(gensec_krb5_state->ticket);
@@ -277,32 +273,18 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 
 	talloc_set_destructor(gensec_krb5_state, gensec_krb5_destory); 
 
-	ret = krb5_init_context(&gensec_krb5_state->context);
+	ret = smb_krb5_init_context(gensec_krb5_state,
+				    &gensec_krb5_state->smb_krb5_context);
 	if (ret) {
 		DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", 
 			 error_message(ret)));
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	if (lp_realm() && *lp_realm()) {
-		char *upper_realm = strupper_talloc(gensec_krb5_state, lp_realm());
-		if (!upper_realm) {
-			DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
-			return NT_STATUS_NO_MEMORY;
-		}
-		ret = krb5_set_default_realm(gensec_krb5_state->context, upper_realm);
-		if (ret) {
-			DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n", 
-				 smb_get_krb5_error_message(gensec_krb5_state->context, 
-							    ret, gensec_krb5_state)));
-			return NT_STATUS_INTERNAL_ERROR;
-		}
-	}
-
-	ret = krb5_auth_con_init(gensec_krb5_state->context, &gensec_krb5_state->auth_context);
+	ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
 	if (ret) {
 		DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", 
-			 smb_get_krb5_error_message(gensec_krb5_state->context, 
+			 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
 						    ret, gensec_krb5_state)));
 		return NT_STATUS_INTERNAL_ERROR;
 	}
@@ -351,10 +333,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 	 
 	   TODO: If the user set a username, we should use an in-memory CCACHE (see below)
 	*/ 
-	ret = krb5_cc_default(gensec_krb5_state->context, &gensec_krb5_state->ccache);
+	ret = krb5_cc_default(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ccache);
 	if (ret) {
 		DEBUG(1,("krb5_cc_default failed (%s)\n",
-			 smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+			 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 	
@@ -363,7 +345,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 			krb5_data in_data;
 			in_data.length = 0;
 
-			ret = krb5_mk_req(gensec_krb5_state->context, 
+			ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
 					  &gensec_krb5_state->auth_context,
 					  AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
 					  gensec_get_target_service(gensec_security),
@@ -377,7 +359,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 			return NT_STATUS_OK;
 		case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
 			DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
-				  hostname, smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+				  hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 			return NT_STATUS_ACCESS_DENIED;
 		case KRB5KDC_ERR_PREAUTH_FAILED:
 		case KRB5KRB_AP_ERR_TKT_EXPIRED:
@@ -387,7 +369,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 		case KRB5_KDCREP_SKEW:
 		{
 			DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
-				  smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+				  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 			/* fall down to remaining code */
 		}
 
@@ -399,7 +381,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 			
 		nt_status = kinit_to_ccache(gensec_krb5_state,  
 					    gensec_security->credentials,
-					    gensec_krb5_state->context, 
+					    gensec_krb5_state->smb_krb5_context, 
 					    &gensec_krb5_state->ccache, 
 					    &ccache_name);
 		
@@ -410,7 +392,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 
 		default:
 			DEBUG(0, ("kerberos: %s\n", 
-				  smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state)));
+				  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 			return NT_STATUS_UNSUCCESSFUL;
 		}
 	}
@@ -442,7 +424,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 	{
 		if (ret) {
 			DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
-				 smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx)));
+				 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
 			nt_status = NT_STATUS_LOGON_FAILURE;
 		} else {
 			DATA_BLOB unwrapped_out;
@@ -478,12 +460,12 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 
 		inbuf.data = unwrapped_in.data;
 		inbuf.length = unwrapped_in.length;
-		ret = krb5_rd_rep(gensec_krb5_state->context, 
+		ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context, 
 				  gensec_krb5_state->auth_context,
 				  &inbuf, &repl);
 		if (ret) {
 			DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
-				 smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx)));
+				 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
 			dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length);
 			nt_status = NT_STATUS_ACCESS_DENIED;
 		} else {
@@ -492,7 +474,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 			gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
 		}
 		if (repl) {
-			krb5_free_ap_rep_enc_part(gensec_krb5_state->context, repl);
+			krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
 		}
 		return nt_status;
 	}
@@ -512,7 +494,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 		/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
 		if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
 			nt_status = ads_verify_ticket(out_mem_ctx, 
-						      gensec_krb5_state->context, 
+						      gensec_krb5_state->smb_krb5_context->krb5_context, 
 						      gensec_krb5_state->auth_context, 
 						      lp_realm(), 
 						      gensec_get_target_service(gensec_security), &in, 
@@ -521,7 +503,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 		} else {
 			/* TODO: check the tok_id */
 			nt_status = ads_verify_ticket(out_mem_ctx, 
-						      gensec_krb5_state->context, 
+						      gensec_krb5_state->smb_krb5_context->krb5_context, 
 						      gensec_krb5_state->auth_context, 
 						      lp_realm(), 
 						      gensec_get_target_service(gensec_security), 
@@ -558,10 +540,10 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 }
 
 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, 
-					   DATA_BLOB *session_key) 
+					DATA_BLOB *session_key) 
 {
 	struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
-	krb5_context context = gensec_krb5_state->context;
+	krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
 	krb5_auth_context auth_context = gensec_krb5_state->auth_context;
 	krb5_keyblock *skey;
 	krb5_error_code err;
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c
index ec8f60fbb3..dc02cf7b01 100644
--- a/source4/auth/kerberos/clikrb5.c
+++ b/source4/auth/kerberos/clikrb5.c
@@ -3,6 +3,7 @@
    simple kerberos5 routines for active directory
    Copyright (C) Andrew Tridgell 2001
    Copyright (C) Luke Howard 2002-2003
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -475,4 +476,103 @@ cleanup_princ:
 	return ret;
 }
 
+
+static int smb_krb5_context_destory_1(void *ptr) 
+{
+	struct smb_krb5_context *ctx = ptr;
+	krb5_free_context(ctx->krb5_context); 
+	return 0;
+}
+
+#if defined(HAVE_KRB5_INITLOG) && defined(HAVE_KRB5_ADDLOG_FUNC) && defined(HAVE_KRB5_FREELOG)
+static int smb_krb5_context_destory_2(void *ptr) 
+{
+	struct smb_krb5_context *ctx = ptr;
+
+	/* Otherwise krb5_free_context will try and close what we have already free()ed */
+	krb5_set_warn_dest(ctx->krb5_context, NULL);
+	krb5_freelog(ctx->krb5_context, ctx->logf);
+	smb_krb5_context_destory_1(ptr);
+	return 0;
+}
+
+/* We never close down the DEBUG system, and no need to unreference the use */
+static void smb_krb5_debug_close(void *private) {
+	return;
+}
+
+static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private) 
+{
+	DEBUG(3, ("Kerberos: %s\n", msg));
+}
+
+#endif
+
+ krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx, 
+				       struct smb_krb5_context **smb_krb5_context) 
+{
+	krb5_error_code ret;
+	TALLOC_CTX *tmp_ctx;
+	
+	*smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context);
+	tmp_ctx = talloc_new(*smb_krb5_context);
+
+	if (!*smb_krb5_context || !tmp_ctx) {
+		talloc_free(*smb_krb5_context);
+		talloc_free(tmp_ctx);
+		return ENOMEM;
+	}
+
+	ret = krb5_init_context(&(*smb_krb5_context)->krb5_context);
+	if (ret) {
+		DEBUG(1,("krb5_init_context failed (%s)\n", 
+			 error_message(ret)));
+		return ret;
+	}
+
+	talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_1);
+
+	if (lp_realm() && *lp_realm()) {
+		char *upper_realm = strupper_talloc(tmp_ctx, lp_realm());
+		if (!upper_realm) {
+			DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
+			return ENOMEM;
+		}
+		ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, lp_realm());
+		if (ret) {
+			DEBUG(1,("krb5_set_default_realm failed (%s)\n", 
+				 smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
+			talloc_free(*smb_krb5_context);
+			return ret;
+		}
+	}
+
+#if defined(HAVE_KRB5_INITLOG) && defined(HAVE_KRB5_ADDLOG_FUNC) && defined(HAVE_KRB5_FREELOG)
+	/* TODO: Should we have a different name here? */
+	ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf);
+	
+	if (ret) {
+		DEBUG(1,("krb5_initlog failed (%s)\n", 
+			 smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
+		talloc_free(*smb_krb5_context);
+		return ret;
+	}
+
+	talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_2);
+
+	ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */, 
+			       smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL);
+	if (ret) {
+		DEBUG(1,("krb5_addlog_func failed (%s)\n", 
+			 smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
+		talloc_free(*smb_krb5_context);
+		return ret;
+	}
+	krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
+
+#endif	
+	talloc_free(tmp_ctx);
+	return 0;
+}
+
 #endif
diff --git a/source4/auth/kerberos/config.m4 b/source4/auth/kerberos/config.m4
index 9cb66554ca..010a1c85da 100644
--- a/source4/auth/kerberos/config.m4
+++ b/source4/auth/kerberos/config.m4
@@ -260,6 +260,9 @@ if test x"$with_krb5_support" != x"no"; then
 	AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS)
 	AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS)
+	AC_CHECK_FUNC_EXT(krb5_initlog, $KRB5_LIBS)
+	AC_CHECK_FUNC_EXT(krb5_freelog, $KRB5_LIBS)
+	AC_CHECK_FUNC_EXT(krb5_addlog_func, $KRB5_LIBS)
 
 	LIBS="$LIBS $KRB5_LIBS"
   
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index ec7df4c2f1..b65416e619 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -21,6 +21,12 @@
 
 #if defined(HAVE_KRB5)
 
+struct smb_krb5_context {
+	krb5_context krb5_context;
+	krb5_log_facility *logf;
+};
+	
+
 /* not really ASN.1, but RFC 1964 */
 #define TOK_ID_KRB_AP_REQ	"\x01\x00"
 #define TOK_ID_KRB_AP_REP	"\x02\x00"
@@ -96,9 +102,11 @@ void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
 char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
 NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
-			 struct cli_credentials *credentials,
-			 krb5_context context,
-			 krb5_ccache *ccache,
-			 const char **ccache_name);
+			  struct cli_credentials *credentials,
+			  struct smb_krb5_context *smb_krb5_context,
+			  krb5_ccache *ccache,
+			  const char **ccache_name);
+krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx, 
+				      struct smb_krb5_context **smb_krb5_context); 
 #endif /* HAVE_KRB5 */
 
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 55975b2594..7945094be9 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -29,19 +29,17 @@
 #include "auth/auth.h"
 
 struct ccache_container {
-	krb5_context krb5_context;
+	struct smb_krb5_context *smb_krb5_context;
 	krb5_ccache ccache;
 } ccache_container;
 
-#if 0
 static int free_ccache(void *ptr) {
 	struct ccache_container *ccc = ptr;
 	/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
-	krb5_cc_close(ccc->krb5_context, ccc->ccache);
+	krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
 
 	return 0;
 }
-#endif
 
 /**
  * Return a freshly allocated ccache (destroyed by destructor on child
@@ -50,7 +48,7 @@ static int free_ccache(void *ptr) {
 
  NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx,
 			  struct cli_credentials *credentials,
-			  krb5_context context,
+			  struct smb_krb5_context *smb_krb5_context,
 			  krb5_ccache *ccache,
 			  const char **ccache_name) 
 {
@@ -71,7 +69,7 @@ static int free_ccache(void *ptr) {
 					cli_credentials_get_principal(credentials, mem_ctx), 
 					generate_random_str(mem_ctx, 16));
 	
-	ret = krb5_cc_resolve(context, ccache_string, ccache);
+	ret = krb5_cc_resolve(smb_krb5_context->krb5_context, ccache_string, ccache);
 	if (ret) {
 		DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n", 
 			 ccache_string,
@@ -80,13 +78,11 @@ static int free_ccache(void *ptr) {
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	mem_ctx->krb5_context = context;
+	mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
 	mem_ctx->ccache = *ccache;
 
-#if 0
 	talloc_set_destructor(mem_ctx, free_ccache);
-#endif
-	ret = kerberos_kinit_password_cc(context, *ccache, 
+	ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache, 
 					 cli_credentials_get_principal(credentials, mem_ctx), 
 					 password, NULL, &kdc_time);
 	
@@ -95,13 +91,13 @@ static int free_ccache(void *ptr) {
 		time_t t = time(NULL);
 		int time_offset =(unsigned)kdc_time-t;
 		DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
-		krb5_set_real_time(context, t + time_offset + 1, 0);
+		krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
 	}
 	
 	if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 		DEBUG(1,("kinit for %s failed (%s)\n", 
 			 cli_credentials_get_principal(credentials, mem_ctx), 
-			 smb_get_krb5_error_message(context, 
+			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
 						    ret, mem_ctx)));
 		talloc_free(mem_ctx);
 		return NT_STATUS_TIME_DIFFERENCE_AT_DC;
@@ -109,7 +105,7 @@ static int free_ccache(void *ptr) {
 	if (ret) {
 		DEBUG(1,("kinit for %s failed (%s)\n", 
 			 cli_credentials_get_principal(credentials, mem_ctx), 
-			 smb_get_krb5_error_message(context, 
+			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
 						    ret, mem_ctx)));
 		talloc_free(mem_ctx);
 		return NT_STATUS_WRONG_PASSWORD;
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index caa5a5c801..d4c281de82 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -1035,8 +1035,6 @@ krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char
 		}
 	}
 
-	krb5_warnx(context, "hdb_ldb_create: hdb_name '%s'\n", (*db)->hdb_name);
-
 	(*db)->hdb_openp = 0;
 	(*db)->hdb_open = LDB_open;
 	(*db)->hdb_close = LDB_close;
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 21461c0f09..40250bbc3a 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -107,7 +107,7 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket)
 	src_sock_addr.sin_family      = PF_INET;
 	
 	/* Call krb5 */
-	if (krb5_kdc_process_krb5_request(kdc_socket->kdc->krb5_context, 
+	if (krb5_kdc_process_krb5_request(kdc_socket->kdc->smb_krb5_context->krb5_context, 
 					  kdc_socket->kdc->config,
 					  blob.data, blob.length, 
 					  &reply,
@@ -157,7 +157,7 @@ static void kdc_socket_handler(struct event_context *ev, struct fd_event *fde,
 */
 static NTSTATUS kdc_add_socket(struct kdc_server *kdc, const char *address)
 {
-	struct kdc_socket *kdc_socket;
+ 	struct kdc_socket *kdc_socket;
 	NTSTATUS status;
 
 	kdc_socket = talloc(kdc, struct kdc_socket);
@@ -251,7 +251,7 @@ static void kdc_task_init(struct task_server *task)
 
 	initialize_krb5_error_table();
 
-	ret = krb5_init_context(&kdc->krb5_context);
+	ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context);
 	if (ret) {
 		DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n", 
 			 error_message(ret)));
@@ -259,9 +259,7 @@ static void kdc_task_init(struct task_server *task)
 		return; 
 	}
 
-	/* TODO: Fill in the hdb and logging details */
-	kdc_openlog(kdc->krb5_context, kdc->config);
-	
+	kdc->config->logf = kdc->smb_krb5_context->logf;
 	kdc->config->db = talloc(kdc->config, struct HDB *);
 	if (!kdc->config->db) {
 		task_terminate(task, "kdc: out of memory");
@@ -269,10 +267,11 @@ static void kdc_task_init(struct task_server *task)
 	}
 	kdc->config->num_db = 1;
 		
-	ret = hdb_ldb_create(kdc->krb5_context, &kdc->config->db[0], lp_sam_url());
+	ret = hdb_ldb_create(kdc->smb_krb5_context->krb5_context, 
+			     &kdc->config->db[0], lp_sam_url());
 	if (ret != 0) {
 		DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n", 
-			  smb_get_krb5_error_message(kdc->krb5_context, ret, kdc))); 
+			  smb_get_krb5_error_message(kdc->smb_krb5_context->krb5_context, ret, kdc))); 
 		task_terminate(task, "kdc: hdb_ldb_create failed");
 		return; 
 	}
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 2e81679e57..d766e21e6e 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -41,7 +41,7 @@ struct kdc_reply {
 struct kdc_server {
 	struct task_server *task;
 	struct krb5_kdc_configuration *config;
-	krb5_context krb5_context;
+	struct smb_krb5_context *smb_krb5_context;
 };
 
 /* hold information about one kdc socket */