4 files changed, 40 insertions, 11 deletions

diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 15da39c037..8d55a32f15 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -53,6 +53,9 @@
 #if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
 #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
 #endif
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC_EXP)
+#define ENCTYPE_ARCFOUR_HMAC_EXP ENCTYPE_ARCFOUR_HMAC_MD5_56
+#endif
 
 /* The older versions of heimdal that don't have this
    define don't seem to use it anyway.  I'm told they
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index dde481a41c..6d6ea3cf28 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -42,6 +42,12 @@
 #include "lib/util/util_net.h"
 #include "auth/kerberos/pac_utils.h"
 
+#ifndef gss_mech_spnego
+gss_OID_desc spnego_mech_oid_desc =
+		{ 6, discard_const_p(void, "\x2b\x06\x01\x05\x05\x02") };
+#define gss_mech_spnego (&spnego_mech_oid_desc)
+#endif
+
 _PUBLIC_ NTSTATUS gensec_gssapi_init(void);
 
 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
@@ -166,7 +172,8 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 		break;
 	case DCERPC_AUTH_TYPE_KRB5:
 	default:
-		gensec_gssapi_state->gss_oid = gss_mech_krb5;
+		gensec_gssapi_state->gss_oid =
+			discard_const_p(void, gss_mech_krb5);
 		break;
 	}
 
@@ -199,6 +206,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 
 	talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
 
+#ifdef SAMBA4_USES_HEIMDAL
 	realm = lpcfg_realm(gensec_security->settings->lp_ctx);
 	if (realm != NULL) {
 		ret = gsskrb5_set_default_realm(realm);
@@ -216,7 +224,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 		talloc_free(gensec_gssapi_state);
 		return NT_STATUS_INTERNAL_ERROR;
 	}
-
+#endif
 	return NT_STATUS_OK;
 }
 
@@ -433,7 +441,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 		switch (gensec_security->gensec_role) {
 		case GENSEC_CLIENT:
 		{
+#ifdef SAMBA4_USES_HEIMDAL
 			struct gsskrb5_send_to_kdc send_to_kdc;
+#endif
 			krb5_error_code ret;
 
 			nt_status = gensec_gssapi_client_creds(gensec_security, ev);
@@ -444,14 +454,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 #ifdef SAMBA4_USES_HEIMDAL
 			send_to_kdc.func = smb_krb5_send_and_recv_func;
 			send_to_kdc.ptr = ev;
-#endif
 
 			min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
 			if (min_stat) {
 				DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
 				return NT_STATUS_INTERNAL_ERROR;
 			}
-
+#endif
 			maj_stat = gss_init_sec_context(&min_stat, 
 							gensec_gssapi_state->client_cred->creds,
 							&gensec_gssapi_state->gssapi_context, 
@@ -472,14 +481,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 #ifdef SAMBA4_USES_HEIMDAL
 			send_to_kdc.func = smb_krb5_send_and_recv_func;
 			send_to_kdc.ptr = NULL;
-#endif
 
 			ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
 			if (ret) {
 				DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
 				return NT_STATUS_INTERNAL_ERROR;
 			}
-
+#endif
 			break;
 		}
 		case GENSEC_SERVER:
@@ -1435,22 +1443,24 @@ static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, si
 		}
 	} else if (gensec_gssapi_state->lucid->protocol == 0) {
 		switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
-		case KEYTYPE_DES:
-		case KEYTYPE_ARCFOUR:
-		case KEYTYPE_ARCFOUR_56:
+		case ENCTYPE_DES_CBC_CRC:
+		case ENCTYPE_ARCFOUR_HMAC:
+		case ENCTYPE_ARCFOUR_HMAC_EXP:
 			if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
 				gensec_gssapi_state->sig_size = 45;
 			} else {
 				gensec_gssapi_state->sig_size = 37;
 			}
 			break;
-		case KEYTYPE_DES3:
+#ifdef SAMBA4_USES_HEIMDAL
+		case ENCTYPE_OLD_DES3_CBC_SHA1:
 			if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
 				gensec_gssapi_state->sig_size = 57;
 			} else {
 				gensec_gssapi_state->sig_size = 49;
 			}
 			break;
+#endif
 		}
 	}
 
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 17b7361cad..0b6ae88a35 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -147,9 +147,9 @@ conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1)
 conf.define('KRB5_PRINC_REALM_RETURNS_REALM', 1)
 conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
 conf.define('HAVE_KRB5_H', 1)
-conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
 conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
 conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
+conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', 1)
 conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC', 1)
 conf.define('HAVE_KRB5_PDU_NONE_DECL', 1)
 conf.define('HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96', 1)
diff --git a/wscript_configure_krb5 b/wscript_configure_krb5
index 26a92a8a94..ba7ecf3c16 100644
--- a/wscript_configure_krb5
+++ b/wscript_configure_krb5
@@ -158,6 +158,13 @@ conf.CHECK_CODE('''
     headers='krb5.h', lib='krb5',
     msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type definition is available");
 conf.CHECK_CODE('''
+       krb5_enctype enctype;
+       enctype = ENCTYPE_ARCFOUR_HMAC_MD5_56;
+       ''',
+    '_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56',
+    headers='krb5.h', lib='krb5',
+    msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5_56 key type definition is available");
+conf.CHECK_CODE('''
        krb5_keytype keytype;
        keytype = KEYTYPE_ARCFOUR_56;
        ''',
@@ -166,6 +173,8 @@ conf.CHECK_CODE('''
     msg="Checking whether the HAVE_KEYTYPE_ARCFOUR_56 key type definition is available");
 if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'):
     conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', '1')
+if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'):
+    conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', '1')
 
 conf.CHECK_CODE('''
        krb5_enctype enctype;
@@ -174,6 +183,13 @@ conf.CHECK_CODE('''
     'HAVE_ENCTYPE_ARCFOUR_HMAC',
     headers='krb5.h', lib='krb5',
     msg="Checking whether the ENCTYPE_ARCFOUR_HMAC key type definition is available");
+conf.CHECK_CODE('''
+       krb5_enctype enctype;
+       enctype = ENCTYPE_ARCFOUR_HMAC_EXP;
+       ''',
+    'HAVE_ENCTYPE_ARCFOUR_HMAC_EXP',
+    headers='krb5.h', lib='krb5',
+    msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_EXP key type definition is available");
 
 conf.CHECK_CODE('''
        krb5_context context;