20 files changed, 363 insertions, 82 deletions
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
new file mode 100644
index 0000000000..aedd23f1c5
--- /dev/null
+++ b/source3/libads/ads_proto.h
@@ -0,0 +1,171 @@
+/* The following definitions come from libads/ads_struct.c  */
+
+char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
+char *ads_build_dn(const char *realm);
+char *ads_build_domain(const char *dn);
+ADS_STRUCT *ads_init(const char *realm,
+		     const char *workgroup,
+		     const char *ldap_server);
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+void ads_destroy(ADS_STRUCT **ads);
+
+const char *ads_get_ldap_server_name(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/disp_sec.c  */
+
+void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd);
+
+/* The following definitions come from libads/kerberos_keytab.c  */
+
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc);
+int ads_keytab_flush(ADS_STRUCT *ads);
+int ads_keytab_create_default(ADS_STRUCT *ads);
+int ads_keytab_list(const char *keytab_name);
+
+/* The following definitions come from libads/krb5_errs.c  */
+
+/* The following definitions come from libads/kerberos_util.c  */
+
+ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
+				    const char *machine_account,
+				    const char *password);
+int ads_kinit_password(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/ldap.c  */
+
+bool ads_sitename_match(ADS_STRUCT *ads);
+bool ads_closest_dc(ADS_STRUCT *ads);
+ADS_STATUS ads_connect(ADS_STRUCT *ads);
+ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads);
+ADS_STATUS ads_connect_gc(ADS_STRUCT *ads);
+void ads_disconnect(ADS_STRUCT *ads);
+ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
+				int scope, const char *expr, const char **attrs,
+				bool (*fn)(ADS_STRUCT *, char *, void **, void *),
+				void *data_area);
+char *ads_parent_dn(const char *dn);
+ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx);
+ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+		       const char *name, const char *val);
+ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+			   const char *name, const char **vals);
+ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods);
+ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods);
+ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn);
+char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit);
+char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid);
+ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+				const char *name, const char **vals);
+uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
+uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
+ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
+ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
+                                          const char *my_fqdn, const char *spn);
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+                                   const char *org_unit);
+ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+                                 const char *org_unit, bool *moved);
+int ads_count_replies(ADS_STRUCT *ads, void *res);
+ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn);
+ADS_STATUS ads_current_time(ADS_STRUCT *ads);
+ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val);
+ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid);
+ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name);
+ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn);
+ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes);
+ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
+				TALLOC_CTX *mem_ctx,
+				char ***ous,
+				size_t *num_ous);
+ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
+					const char *extended_dn,
+					enum ads_extended_dn_flags flags,
+					struct dom_sid *sid);
+char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
+			uint32 account_type, const char *org_unit);
+ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname);
+ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
+			       TALLOC_CTX *mem_ctx,
+			       const char *samaccountname,
+			       uint32 *uac_ret,
+			       const char **dn_ret);
+ADS_STATUS ads_config_path(ADS_STRUCT *ads,
+			   TALLOC_CTX *mem_ctx,
+			   char **config_path);
+const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads,
+						const char *config_path,
+						TALLOC_CTX *mem_ctx,
+						const struct GUID *rights_guid);
+ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
+			   ADS_STRUCT *ads,
+			   const char **account_ou);
+
+/* The following definitions come from libads/ldap_printer.c  */
+
+ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+				 TALLOC_CTX *ctx, const ADS_MODLIST *mods);
+ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+					TALLOC_CTX *ctx, ADS_MODLIST *mods);
+WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli,
+					  TALLOC_CTX *mem_ctx,
+					  ADS_MODLIST *mods,
+					  const char *printer);
+
+/* The following definitions come from libads/ldap_user.c  */
+
+ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
+			     const char *container, const char *fullname);
+ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
+			      const char *container, const char *comment);
+
+/* The following definitions come from libads/ldap_utils.c  */
+
+ADS_STATUS ads_ranged_search(ADS_STRUCT *ads,
+			     TALLOC_CTX *mem_ctx,
+			     int scope,
+			     const char *base,
+			     const char *filter,
+			     void *args,
+			     const char *range_attr,
+			     char ***strings,
+			     size_t *num_strings);
+ADS_STATUS ads_ranged_search_internal(ADS_STRUCT *ads,
+				      TALLOC_CTX *mem_ctx,
+				      int scope,
+				      const char *base,
+				      const char *filter,
+				      const char **attrs,
+				      void *args,
+				      const char *range_attr,
+				      char ***strings,
+				      size_t *num_strings,
+				      uint32 *first_usn,
+				      int *num_retries,
+				      bool *more_values);
+
+/* The following definitions come from libads/ndr.c  */
+
+void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, uint32_t r);
+void ndr_print_ads_struct(struct ndr_print *ndr, const char *name, const struct ads_struct *r);
+
+/* The following definitions come from libads/sasl.c  */
+
+ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/sasl_wrapping.c  */
+
+ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
+				   const struct ads_saslwrap_ops *ops,
+				   void *private_data);
+ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
+				   const struct ads_saslwrap_ops *ops,
+				   void *private_data);
+
+/* The following definitions come from libads/util.c  */
+
+ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal);
+ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
+				       char **returned_principal);
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index e01a36cbae..7794952387 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 /* return a ldap dn path from a string, given separators and field name
    caller must free
diff --git a/source3/libads/ads_utils.c b/source3/libads/ads_utils.c
index 213242c223..ec3efa8550 100644
--- a/source3/libads/ads_utils.c
+++ b/source3/libads/ads_utils.c
@@ -20,6 +20,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 const char *ads_get_ldap_server_name(ADS_STRUCT *ads)
 {
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 00062f4457..3c529dbe7a 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -25,6 +25,7 @@
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 #include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c
index d05b5085f0..05ac216bbe 100644
--- a/source3/libads/disp_sec.c
+++ b/source3/libads/disp_sec.c
@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "libads/ldap_schema.h"
 
 /* for ADS */
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index f34b9cad09..c48944ae6f 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -24,6 +24,7 @@
 #include "includes.h"
 #include "smb_krb5.h"
 #include "../librpc/gen_ndr/ndr_misc.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 
@@ -284,58 +285,6 @@ int kerberos_kinit_password_ext(const char *principal,
 	return code;
 }
 
-
-
-/* run kinit to setup our ccache */
-int ads_kinit_password(ADS_STRUCT *ads)
-{
-	char *s;
-	int ret;
-	const char *account_name;
-	fstring acct_name;
-
-	if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
-		account_name = ads->auth.user_name;
-		goto got_accountname;
-	}
-
-	if ( IS_DC ) {
-		/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
-		account_name = lp_workgroup();
-	} else {
-		/* always use the sAMAccountName for security = domain */
-		/* global_myname()$@REA.LM */
-		if ( lp_security() == SEC_DOMAIN ) {
-			fstr_sprintf( acct_name, "%s$", global_myname() );
-			account_name = acct_name;
-		}
-		else 
-			/* This looks like host/global_myname()@REA.LM */
-			account_name = ads->auth.user_name;
-	}
-
- got_accountname:
-	if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
-		return KRB5_CC_NOMEM;
-	}
-
-	if (!ads->auth.password) {
-		SAFE_FREE(s);
-		return KRB5_LIBOS_CANTREADPWD;
-	}
-	
-	ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
-			&ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable, 
-			NULL);
-
-	if (ret) {
-		DEBUG(0,("kerberos_kinit_password %s failed: %s\n", 
-			 s, error_message(ret)));
-	}
-	SAFE_FREE(s);
-	return ret;
-}
-
 int ads_kdestroy(const char *cc_name)
 {
 	krb5_error_code code;
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index fa2a1261a2..33b065f654 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -27,6 +27,7 @@
 
 #include "includes.h"
 #include "smb_krb5.h"
+#include "ads.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
new file mode 100644
index 0000000000..7be81fa9a5
--- /dev/null
+++ b/source3/libads/kerberos_proto.h
@@ -0,0 +1,67 @@
+/* The following definitions come from libads/kerberos_verify.c  */
+
+NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
+			   const char *realm,
+			   time_t time_offset,
+			   const DATA_BLOB *ticket,
+			   char **principal,
+			   struct PAC_LOGON_INFO **logon_info,
+			   DATA_BLOB *ap_rep,
+			   DATA_BLOB *session_key,
+			   bool use_replay_cache);
+
+/* The following definitions come from libads/kerberos.c  */
+
+int kerberos_kinit_password_ext(const char *principal,
+				const char *password,
+				int time_offset,
+				time_t *expire_time,
+				time_t *renew_till_time,
+				const char *cache_name,
+				bool request_pac,
+				bool add_netbios_addr,
+				time_t renewable_time,
+				NTSTATUS *ntstatus);
+int ads_kdestroy(const char *cc_name);
+char* kerberos_standard_des_salt( void );
+bool kerberos_secrets_store_des_salt( const char* salt );
+char* kerberos_secrets_fetch_des_salt( void );
+char *kerberos_get_default_realm_from_ccache( void );
+char *kerberos_get_realm_from_hostname(const char *hostname);
+
+bool kerberos_secrets_store_salting_principal(const char *service,
+					      int enctype,
+					      const char *principal);
+int kerberos_kinit_password(const char *principal,
+			    const char *password,
+			    int time_offset,
+			    const char *cache_name);
+bool create_local_private_krb5_conf_for_domain(const char *realm,
+						const char *domain,
+						const char *sitename,
+						struct sockaddr_storage *pss,
+						const char *kdc_name);
+
+/* The following definitions come from libads/authdata.c  */
+
+NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+			     const char *name,
+			     const char *pass,
+			     time_t time_offset,
+			     time_t *expire_time,
+			     time_t *renew_till_time,
+			     const char *cache_name,
+			     bool request_pac,
+			     bool add_netbios_addr,
+			     time_t renewable_time,
+			     const char *impersonate_princ_s,
+			     struct PAC_LOGON_INFO **logon_info);
+
+/* The following definitions come from libads/krb5_setpw.c  */
+
+ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
+				 const char *newpw, int time_offset);
+ADS_STATUS kerberos_set_password(const char *kpasswd_server,
+				 const char *auth_principal, const char *auth_password,
+				 const char *target_principal, const char *new_password,
+				 int time_offset);
diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c
new file mode 100644
index 0000000000..4762e1b914
--- /dev/null
+++ b/source3/libads/kerberos_util.c
@@ -0,0 +1,107 @@
+/*
+   Unix SMB/CIFS implementation.
+   krb5 set password implementation
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smb_krb5.h"
+#include "ads.h"
+
+#ifdef HAVE_KRB5
+
+/**
+ * Set the machine account password
+ * @param ads connection to ads server
+ * @param hostname machine whose password is being set
+ * @param password new password
+ * @return status of password change
+ **/
+ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
+				    const char *machine_account,
+				    const char *password)
+{
+	ADS_STATUS status;
+	char *principal = NULL;
+
+	/*
+	  we need to use the '$' form of the name here (the machine account name),
+	  as otherwise the server might end up setting the password for a user
+	  instead
+	 */
+	if (asprintf(&principal, "%s@%s", machine_account, ads->config.realm) < 0) {
+		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+	}
+
+	status = ads_krb5_set_password(ads->auth.kdc_server, principal,
+				       password, ads->auth.time_offset);
+
+	SAFE_FREE(principal);
+	return status;
+}
+
+/* run kinit to setup our ccache */
+int ads_kinit_password(ADS_STRUCT *ads)
+{
+	char *s;
+	int ret;
+	const char *account_name;
+	fstring acct_name;
+
+	if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
+		account_name = ads->auth.user_name;
+		goto got_accountname;
+	}
+
+	if ( IS_DC ) {
+		/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
+		account_name = lp_workgroup();
+	} else {
+		/* always use the sAMAccountName for security = domain */
+		/* global_myname()$@REA.LM */
+		if ( lp_security() == SEC_DOMAIN ) {
+			fstr_sprintf( acct_name, "%s$", global_myname() );
+			account_name = acct_name;
+		}
+		else
+			/* This looks like host/global_myname()@REA.LM */
+			account_name = ads->auth.user_name;
+	}
+
+ got_accountname:
+	if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
+		return KRB5_CC_NOMEM;
+	}
+
+	if (!ads->auth.password) {
+		SAFE_FREE(s);
+		return KRB5_LIBOS_CANTREADPWD;
+	}
+
+	ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
+			&ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
+			NULL);
+
+	if (ret) {
+		DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
+			 s, error_message(ret)));
+	}
+	SAFE_FREE(s);
+	return ret;
+}
+
+#endif
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 2047f0e3b9..f8a6602194 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -25,6 +25,7 @@
 
 #include "includes.h"
 #include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index ec5cafc49d..1c04d896de 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -20,6 +20,7 @@
 
 #include "includes.h"
 #include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 
@@ -806,34 +807,4 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server,
 				     new_password, time_offset);
 }
 
-
-/**
- * Set the machine account password
- * @param ads connection to ads server
- * @param hostname machine whose password is being set
- * @param password new password
- * @return status of password change
- **/
-ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
-				    const char *machine_account,
-				    const char *password)
-{
-	ADS_STATUS status;
-	char *principal = NULL; 
-
-	/*
-	  we need to use the '$' form of the name here (the machine account name), 
-	  as otherwise the server might end up setting the password for a user
-	  instead
-	 */
-	if (asprintf(&principal, "%s@%s", machine_account, ads->config.realm) < 0) {
-		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
-	}
-	
-	status = ads_krb5_set_password(ads->auth.kdc_server, principal, 
-				       password, ads->auth.time_offset);
-	
-	SAFE_FREE(principal);
-	return status;
-}
 #endif
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 5adbd6d039..77ab51ee26 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "libads/sitename_cache.h"
 #include "libads/cldap.h"
 #include "libads/dns.h"
diff --git a/source3/libads/ldap_printer.c b/source3/libads/ldap_printer.c
index fff50cfe8b..e4a7d34cf1 100644
--- a/source3/libads/ldap_printer.c
+++ b/source3/libads/ldap_printer.c
@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "../librpc/gen_ndr/cli_spoolss.h"
 #include "rpc_client/cli_spoolss.h"
 #include "registry.h"
diff --git a/source3/libads/ldap_schema.c b/source3/libads/ldap_schema.c
index c739286abb..80ec45c73c 100644
--- a/source3/libads/ldap_schema.c
+++ b/source3/libads/ldap_schema.c
@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "libads/ldap_schema.h"
 
 #ifdef HAVE_LDAP
diff --git a/source3/libads/ldap_user.c b/source3/libads/ldap_user.c
index ffd20f9bd2..55421009a7 100644
--- a/source3/libads/ldap_user.c
+++ b/source3/libads/ldap_user.c
@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "../libds/common/flags.h"
 
 #ifdef HAVE_ADS
diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
index f9106caed1..c0c1adba30 100644
--- a/source3/libads/ldap_utils.c
+++ b/source3/libads/ldap_utils.c
@@ -21,6 +21,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 #ifdef HAVE_LDAP
 /*
diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c
index 397aa2ca60..843ae3b615 100644
--- a/source3/libads/ndr.c
+++ b/source3/libads/ndr.c
@@ -20,6 +20,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "../librpc/gen_ndr/ndr_netlogon.h"
 
 void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, uint32_t r)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index f4a0ac627e..7ad4c9a868 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -20,6 +20,8 @@
 #include "includes.h"
 #include "../libcli/auth/spnego.h"
 #include "../libcli/auth/ntlmssp.h"
+#include "ads.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_LDAP
 
diff --git a/source3/libads/sasl_wrapping.c b/source3/libads/sasl_wrapping.c
index 2bfa079235..d7353ac79c 100644
--- a/source3/libads/sasl_wrapping.c
+++ b/source3/libads/sasl_wrapping.c
@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 #ifdef HAVE_LDAP_SASL_WRAPPING
 
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 9dcb906a37..f028c75cfe 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 #ifdef HAVE_KRB5