lean client changes

All changes are under LEAN_CLIENT macro. Application server functionality is disabled.
 

Ticket:new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20680 dc483132-0cff-0310-8789-dd5450dbe970

33 files changed, 234 insertions, 43 deletions

diff --git a/src/lib/gssapi/gss_libinit.c b/src/lib/gssapi/gss_libinit.c
index bb90857132..4c1755fd26 100644
--- a/src/lib/gssapi/gss_libinit.c
+++ b/src/lib/gssapi/gss_libinit.c
@@ -31,9 +31,11 @@ int gssint_lib_init(void)
     err = gssint_mechglue_init();
     if (err)
 	return err;
+#ifndef LEAN_CLIENT
     err = k5_mutex_finish_init(&gssint_krb5_keytab_lock);
     if (err)
 	return err;
+#endif /* LEAN_CLIENT */
     err = k5_key_register(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME, free);
     if (err)
 	return err;
@@ -76,7 +78,9 @@ void gssint_lib_fini(void)
 #ifndef _WIN32
     k5_mutex_destroy(&kg_kdc_flag_mutex);
 #endif
+#ifndef LEAN_CLIENT
     k5_mutex_destroy(&gssint_krb5_keytab_lock);
+#endif /* LEAN_CLIENT */
     gssint_mecherrmap_destroy();
     gssint_mechglue_fini();
 }
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index d7f1225137..6b3e0bf0ea 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000, 2004, 2007  by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2004, 2007, 2008  by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -77,12 +77,15 @@
 #endif
 #include <assert.h>
 
+
 #ifdef CFX_EXERCISE
 #define CFX_ACCEPTOR_SUBKEY (time(0) & 1)
 #else
 #define CFX_ACCEPTOR_SUBKEY 1
 #endif
 
+#ifndef LEAN_CLIENT 
+
 /* Decode, decrypt and store the forwarded creds in the local ccache. */
 static krb5_error_code
 rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
@@ -206,6 +209,7 @@ cleanup:
     return retval;
 }
 
+
 OM_uint32
 krb5_gss_accept_sec_context(minor_status, context_handle, 
 			    verifier_cred_handle, input_token,
@@ -1001,3 +1005,5 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    }
    return (major_status);
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 7754e2452e..55d19fd5af 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2007, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -91,6 +91,7 @@ static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal,
 static HANDLE hLeashDLL = INVALID_HANDLE_VALUE;
 #endif
 
+#ifndef LEAN_CLIENT
 k5_mutex_t gssint_krb5_keytab_lock = K5_MUTEX_PARTIAL_INITIALIZER;
 static char *krb5_gss_keytab = NULL;
 
@@ -204,6 +205,7 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred)
 
    return(GSS_S_COMPLETE);
 }
+#endif /* LEAN_CLIENT */
 
 /* get credentials corresponding to the default credential cache.
    If the default name is requested, return the name in output_princ.
@@ -507,7 +509,9 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
    cred->prerfc_mech = req_old;
    cred->rfc_mech = req_new;
 
+#ifndef LEAN_CLIENT
    cred->keytab = NULL;
+#endif /* LEAN_CLIENT */
    cred->ccache = NULL;
 
    code = k5_mutex_init(&cred->lock);
@@ -532,7 +536,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
 
    /* if requested, acquire credentials for accepting */
    /* this will fill in cred->princ if the desired_name is not specified */
-
+#ifndef LEAN_CLIENT
    if ((cred_usage == GSS_C_ACCEPT) ||
        (cred_usage == GSS_C_BOTH))
       if ((ret = acquire_accept_cred(context, minor_status, desired_name,
@@ -547,6 +551,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
 	 krb5_free_context(context);
 	 return(ret);
       }
+#endif /* LEAN_CLIENT */
 
    /* if requested, acquire credentials for initiation */
    /* this will fill in cred->princ if it wasn't set above, and
@@ -559,8 +564,10 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
 			     cred->princ?(gss_name_t)cred->princ:desired_name,
 			     &(cred->princ), cred))
 	  != GSS_S_COMPLETE) {
+#ifndef LEAN_CLIENT
 	 if (cred->keytab)
 	    krb5_kt_close(context, cred->keytab);
+#endif /* LEAN_CLIENT */
 	 if (cred->princ)
 	    krb5_free_principal(context, cred->princ);
          k5_mutex_destroy(&cred->lock);
@@ -578,8 +585,10 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
 				      &(cred->princ)))) {
 	 if (cred->ccache)
 	    (void)krb5_cc_close(context, cred->ccache);
+#ifndef LEAN_CLIENT
 	 if (cred->keytab)
 	    (void)krb5_kt_close(context, cred->keytab);
+#endif /* LEAN_CLIENT */
          k5_mutex_destroy(&cred->lock);
          xfree(cred);
 	 *minor_status = code;
@@ -601,8 +610,10 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
       if ((code = krb5_timeofday(context, &now))) {
 	 if (cred->ccache)
 	    (void)krb5_cc_close(context, cred->ccache);
+#ifndef LEAN_CLIENT
 	 if (cred->keytab)
 	    (void)krb5_kt_close(context, cred->keytab);
+#endif /* LEAN_CLIENT */
 	 if (cred->princ)
 	    krb5_free_principal(context, cred->princ);
          k5_mutex_destroy(&cred->lock);
@@ -632,8 +643,10 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
 							   &ret_mechs)))) {
 	   if (cred->ccache)
 	       (void)krb5_cc_close(context, cred->ccache);
+#ifndef LEAN_CLIENT
 	   if (cred->keytab)
 	       (void)krb5_kt_close(context, cred->keytab);
+#endif /* LEAN_CLIENT */
 	   if (cred->princ)
 	       krb5_free_principal(context, cred->princ);
            k5_mutex_destroy(&cred->lock);
@@ -651,8 +664,10 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
       free(ret_mechs);
       if (cred->ccache)
 	 (void)krb5_cc_close(context, cred->ccache);
+#ifndef LEAN_CLIENT
       if (cred->keytab)
 	 (void)krb5_kt_close(context, cred->keytab);
+#endif /* LEAN_CLIENT */
       if (cred->princ)
 	 krb5_free_principal(context, cred->princ);
       k5_mutex_destroy(&cred->lock);
diff --git a/src/lib/gssapi/krb5/add_cred.c b/src/lib/gssapi/krb5/add_cred.c
index 3ac32fc2e7..fdcd9c0d33 100644
--- a/src/lib/gssapi/krb5/add_cred.c
+++ b/src/lib/gssapi/krb5/add_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -209,7 +209,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	    krb5_free_context(context);
 	    return(GSS_S_FAILURE);
 	}
-	    
+#ifndef LEAN_CLIENT 
 	if (cred->keytab) {
 	    kttype = krb5_kt_get_type(context, cred->keytab);
 	    if ((strlen(kttype)+2) > sizeof(ktboth)) {
@@ -252,16 +252,21 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 		return(GSS_S_FAILURE);
 	    }
 	} else {
+#endif /* LEAN_CLIENT */
 	    new_cred->keytab = NULL;
+#ifndef LEAN_CLIENT 
 	}
+#endif /* LEAN_CLIENT */
 		
 	if (cred->rcache) {
 	    /* Open the replay cache for this principal. */
 	    if ((code = krb5_get_server_rcache(context,
 					       krb5_princ_component(context, cred->princ, 0),
 					       &new_cred->rcache))) {
+#ifndef LEAN_CLIENT 
 		if (new_cred->keytab)
 		    krb5_kt_close(context, new_cred->keytab);
+#endif /* LEAN_CLIENT */
 		if (new_cred->princ)
 		    krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
@@ -282,8 +287,10 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	    if ((strlen(cctype)+strlen(ccname)+2) > sizeof(ccboth)) {
 		if (new_cred->rcache)
 		    krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT 
 		if (new_cred->keytab)
 		    krb5_kt_close(context, new_cred->keytab);
+#endif /* LEAN_CLIENT */
 		if (new_cred->princ)
 		krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
@@ -302,8 +309,10 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	    if (code) {
 		if (new_cred->rcache)
 		    krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT 
 		if (new_cred->keytab)
 		    krb5_kt_close(context, new_cred->keytab);
+#endif /* LEAN_CLIENT */
 		if (new_cred->princ)
 		    krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
@@ -324,8 +333,10 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 		krb5_cc_close(context, new_cred->ccache);
 	    if (new_cred->rcache)
 		krb5_rc_close(context, new_cred->rcache);
+#ifndef LEAN_CLIENT 
 	    if (new_cred->keytab)
 		krb5_kt_close(context, new_cred->keytab);
+#endif /* LEAN_CLIENT */
 	    if (new_cred->princ)
 	    krb5_free_principal(context, new_cred->princ);
 	    xfree(new_cred);
diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c
index 867d4d6f50..f20d853d05 100644
--- a/src/lib/gssapi/krb5/export_sec_context.c
+++ b/src/lib/gssapi/krb5/export_sec_context.c
@@ -1,7 +1,7 @@
 /*
  * lib/gssapi/krb5/export_sec_context.c
  *
- * Copyright 1995, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -29,7 +29,7 @@
  * export_sec_context.c	- Externalize the security context.
  */
 #include "gssapiP_krb5.h"
-
+#ifndef LEAN_CLIENT
 OM_uint32
 krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token)
     OM_uint32		*minor_status;
@@ -103,3 +103,4 @@ error_out:
 	    *minor_status = (OM_uint32) kret;
     return(retval);
 }
+#endif /* LEAN_CLIENT */
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 57c2ed9ea6..33036fc534 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 2000, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -211,7 +211,9 @@ typedef struct _krb5_gss_ctx_id_rec {
 
 extern g_set kg_vdb;
 
+#ifndef LEAN_CLIENT
 extern k5_mutex_t gssint_krb5_keytab_lock;
+#endif /* LEAN_CLIENT */
 
 /* helper macros */
 
@@ -363,6 +365,7 @@ OM_uint32 krb5_gss_init_sec_context
             OM_uint32*        /* time_rec */
            );
 
+#ifndef LEAN_CLIENT
 OM_uint32 krb5_gss_accept_sec_context
 (OM_uint32*,       /* minor_status */
             gss_ctx_id_t*,    /* context_handle */
@@ -377,6 +380,7 @@ OM_uint32 krb5_gss_accept_sec_context
             OM_uint32*,       /* time_rec */
             gss_cred_id_t*    /* delegated_cred_handle */
            );
+#endif /* LEAN_CLIENT */
 
 OM_uint32 krb5_gss_process_context_token
 (OM_uint32*,       /* minor_status */
@@ -459,6 +463,7 @@ OM_uint32 krb5_gss_display_name
             gss_OID*         /* output_name_type */
            );
 
+
 OM_uint32 krb5_gss_import_name
 (OM_uint32*,       /* minor_status */
             gss_buffer_t,     /* input_name_buffer */
@@ -574,7 +579,7 @@ OM_uint32 krb5_gss_inquire_cred_by_mech
 	    OM_uint32 *,		/* acceptor_lifetime */
 	    gss_cred_usage_t * 		/* cred_usage */
 	   );
-
+#ifndef LEAN_CLIENT
 OM_uint32 krb5_gss_export_sec_context
 (OM_uint32 *,		/* minor_status */
 	    gss_ctx_id_t *,		/* context_handle */
@@ -586,6 +591,7 @@ OM_uint32 krb5_gss_import_sec_context
 	    gss_buffer_t,		/* interprocess_token */
 	    gss_ctx_id_t *		/* context_handle */
 	    );
+#endif /* LEAN_CLIENT */
 
 krb5_error_code krb5_gss_ser_init(krb5_context);
 
diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c
index 77cf0da5ee..3b2054bd6b 100644
--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
+++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
@@ -27,6 +27,7 @@
 #include "gssapiP_krb5.h"
 #include "mglueP.h"
 
+
 /** mechglue wrappers **/
 
 static OM_uint32 k5glue_acquire_cred
@@ -61,7 +62,8 @@ static OM_uint32 k5glue_init_sec_context
             OM_uint32*,       /* ret_flags */
             OM_uint32*        /* time_rec */
            );
-
+		   
+#ifndef LEAN_CLIENT
 static OM_uint32 k5glue_accept_sec_context
 (void *, OM_uint32*,       /* minor_status */
             gss_ctx_id_t*,    /* context_handle */
@@ -76,6 +78,7 @@ static OM_uint32 k5glue_accept_sec_context
             OM_uint32*,       /* time_rec */
             gss_cred_id_t*    /* delegated_cred_handle */
            );
+#endif   /* LEAN_CLIENT */
 
 static OM_uint32 k5glue_process_context_token
 (void *, OM_uint32*,       /* minor_status */
@@ -94,7 +97,7 @@ static OM_uint32 k5glue_context_time
             gss_ctx_id_t,     /* context_handle */
             OM_uint32*        /* time_rec */
            );
-
+		   
 static OM_uint32 k5glue_sign
 (void *, OM_uint32*,       /* minor_status */
             gss_ctx_id_t,     /* context_handle */
@@ -156,7 +159,7 @@ static OM_uint32 k5glue_display_name
             gss_name_t,      /* input_name */
             gss_buffer_t,    /* output_name_buffer */
             gss_OID*         /* output_name_type */
-           );
+          );
 
 static OM_uint32 k5glue_import_name
 (void *, OM_uint32*,       /* minor_status */
@@ -278,6 +281,7 @@ static OM_uint32 k5glue_inquire_cred_by_mech
 	    gss_cred_usage_t * 		/* cred_usage */
 	   );
 
+#ifndef LEAN_CLIENT
 static OM_uint32 k5glue_export_sec_context
 (void *, OM_uint32 *,		/* minor_status */
 	    gss_ctx_id_t *,		/* context_handle */
@@ -289,6 +293,7 @@ static OM_uint32 k5glue_import_sec_context
 	    gss_buffer_t,		/* interprocess_token */
 	    gss_ctx_id_t *		/* context_handle */
 	    );
+#endif /* LEAN_CLIENT */
 
 krb5_error_code k5glue_ser_init(krb5_context);
 
@@ -338,13 +343,14 @@ static OM_uint32 k5glue_validate_cred
  * ensure that both dispatch tables contain identical function
  * pointers.
  */
+#ifndef LEAN_CLIENT	
 #define KRB5_GSS_CONFIG_INIT				\
     NULL,						\
     k5glue_acquire_cred,				\
     k5glue_release_cred,				\
     k5glue_init_sec_context,				\
     k5glue_accept_sec_context,				\
-    k5glue_process_context_token,			\
+	k5glue_process_context_token,			\
     k5glue_delete_sec_context,				\
     k5glue_context_time,				\
     k5glue_sign,					\
@@ -369,6 +375,42 @@ static OM_uint32 k5glue_validate_cred
     k5glue_export_name,					\
     NULL			/* store_cred */
 
+#else	/* LEAN_CLIENT */
+
+#define KRB5_GSS_CONFIG_INIT				\
+    NULL,						\
+    k5glue_acquire_cred,				\
+    k5glue_release_cred,				\
+    k5glue_init_sec_context,				\
+    NULL,						\
+	k5glue_process_context_token,			\
+    k5glue_delete_sec_context,				\
+    k5glue_context_time,				\
+    k5glue_sign,					\
+    k5glue_verify,					\
+    k5glue_seal,					\
+    k5glue_unseal,					\
+    k5glue_display_status,				\
+    k5glue_indicate_mechs,				\
+    k5glue_compare_name,				\
+    k5glue_display_name,				\
+    k5glue_import_name,					\
+    k5glue_release_name,				\
+    k5glue_inquire_cred,				\
+    k5glue_add_cred,					\
+    NULL,						\
+    NULL,						\
+    k5glue_inquire_cred_by_mech,			\
+    k5glue_inquire_names_for_mech,			\
+    k5glue_inquire_context,				\
+    k5glue_internal_release_oid,			\
+    k5glue_wrap_size_limit,				\
+    k5glue_export_name,					\
+    NULL			/* store_cred */
+
+#endif /* LEAN_CLIENT */	
+
+
 static struct gss_config krb5_mechanism = {
     100, "kerberos_v5",
     { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID },
@@ -414,6 +456,7 @@ gssint_get_mech_configs(void)
     return krb5_mech_configs;
 }
 
+#ifndef LEAN_CLIENT
 static OM_uint32
 k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handle,
 		       input_token, input_chan_bindings, src_name, mech_type, 
@@ -443,6 +486,7 @@ k5glue_accept_sec_context(ctx, minor_status, context_handle, verifier_cred_handl
 				      time_rec,
 				      delegated_cred_handle));
 }
+#endif /* LEAN_CLIENT */
 
 static OM_uint32
 k5glue_acquire_cred(ctx, minor_status, desired_name, time_req, desired_mechs,
@@ -579,7 +623,7 @@ k5glue_display_status(ctx, minor_status, status_value, status_type,
 				  status_type, mech_type, message_context,
 				  status_string));
 }
-
+#ifndef LEAN_CLIENT
 /* V2 */
 static OM_uint32
 k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token)
@@ -592,7 +636,7 @@ k5glue_export_sec_context(ctx, minor_status, context_handle, interprocess_token)
 				      context_handle,
 				      interprocess_token));
 }
-
+#endif /* LEAN_CLIENT */
 #if 0
 /* V2 */
 static OM_uint32
@@ -630,6 +674,7 @@ k5glue_import_name(ctx, minor_status, input_name_buffer, input_name_type, output
 				input_name_type, output_name));
 }
 
+#ifndef LEAN_CLIENT
 /* V2 */
 static OM_uint32
 k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle)
@@ -642,6 +687,7 @@ k5glue_import_sec_context(ctx, minor_status, interprocess_token, context_handle)
 				      interprocess_token,
 				      context_handle));
 }
+#endif /* LEAN_CLIENT */
 
 static OM_uint32
 k5glue_indicate_mechs(ctx, minor_status, mech_set)
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index efd9a4f4dc..1b4a6ce55c 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -59,9 +59,11 @@ krb5_gss_release_cred(minor_status, cred_handle)
    else
       code1 = 0;
 
+#ifndef LEAN_CLIENT 
    if (cred->keytab)
       code2 = krb5_kt_close(context, cred->keytab);
    else
+#endif /* LEAN_CLIENT */
       code2 = 0;
 
    if (cred->rcache)
diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index c12e2bf4ff..9527895eee 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -33,6 +33,7 @@
 #include <string.h>
 #include <errno.h>
 
+#ifndef LEAN_CLIENT
 static OM_uint32
 val_acc_sec_ctx_args(
     OM_uint32 *minor_status,
@@ -84,7 +85,6 @@ val_acc_sec_ctx_args(
     return (GSS_S_COMPLETE);
 }
 
-
 OM_uint32 KRB5_CALLCONV
 gss_accept_sec_context (minor_status,
                         context_handle,
@@ -361,4 +361,5 @@ error_out:
 
     return (status);
 }
+#endif /* LEAN_CLIENT */
 
diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
index 28e25b325a..cf9905f830 100644
--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -25,6 +25,7 @@
 /*
  *  glue routine for gss_export_sec_context
  */
+#ifndef LEAN_CLIENT
 
 #include "mglueP.h"
 #include <stdio.h>
@@ -135,3 +136,4 @@ gss_buffer_t		interprocess_token;
     
     return(GSS_S_COMPLETE);
 }
+#endif /*LEAN_CLIENT */
diff --git a/src/lib/gssapi/mechglue/g_imp_sec_context.c b/src/lib/gssapi/mechglue/g_imp_sec_context.c
index f83d861707..2b7aacf102 100644
--- a/src/lib/gssapi/mechglue/g_imp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_imp_sec_context.c
@@ -26,6 +26,8 @@
  *  glue routine gss_export_sec_context
  */
 
+#ifndef LEAN_CLIENT
+
 #include "mglueP.h"
 #include <stdio.h>
 #include <errno.h>
@@ -162,3 +164,4 @@ error_out:
     }
     return status;
 }
+#endif /* LEAN_CLIENT */
diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h
index 1c8fd7a7b5..717181c6b2 100644
--- a/src/lib/gssapi/spnego/gssapiP_spnego.h
+++ b/src/lib/gssapi/spnego/gssapiP_spnego.h
@@ -167,6 +167,7 @@ OM_uint32 spnego_gss_init_sec_context
 	OM_uint32 *		/* time_rec */
 );
 
+#ifndef LEAN_CLIENT
 OM_uint32 spnego_gss_accept_sec_context
 (
 	void *,			/* spnego context */
@@ -183,6 +184,7 @@ OM_uint32 spnego_gss_accept_sec_context
 	/* CSTYLED */
 	gss_cred_id_t *		/* delegated_cred_handle */
 );
+#endif /* LEAN_CLIENT */
 
 OM_uint32 spnego_gss_display_name
 (
@@ -276,7 +278,7 @@ OM_uint32 spnego_gss_context_time
 	const gss_ctx_id_t context_handle,
 	OM_uint32	*time_rec
 );
-
+#ifndef LEAN_CLIENT
 OM_uint32 spnego_gss_export_sec_context
 (
 	void *context,
@@ -292,6 +294,7 @@ OM_uint32 spnego_gss_import_sec_context
 	const gss_buffer_t	interprocess_token,
 	gss_ctx_id_t		*context_handle
 );
+#endif /* LEAN_CLIENT */
 
 OM_uint32 spnego_gss_inquire_context
 (
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 9f68a6ccdf..775306f0be 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006,2007 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2006,2008 by the Massachusetts Institute of Technology.
  * All rights reserved.
  *
  * Export of this software from the United States of America may
@@ -45,6 +45,7 @@
 #include	"gssapiP_spnego.h"
 #include	<gssapi_err_generic.h>
 
+
 #undef g_token_size
 #undef g_verify_token_header
 #undef g_make_token_header
@@ -164,7 +165,11 @@ static struct gss_config spnego_mechanism =
 	spnego_gss_acquire_cred,
 	spnego_gss_release_cred,
 	spnego_gss_init_sec_context,
+#ifndef LEAN_CLIENT
 	spnego_gss_accept_sec_context,
+#else
+	NULL,				
+#endif  /* LEAN_CLIENT */
 	NULL,				/* gss_process_context_token */
 	spnego_gss_delete_sec_context,	/* gss_delete_sec_context */
 	spnego_gss_context_time,	/* gss_context_time */
@@ -180,8 +185,13 @@ static struct gss_config spnego_mechanism =
 	spnego_gss_release_name,
 	NULL,				/* gss_inquire_cred */
 	NULL,				/* gss_add_cred */
-	spnego_gss_export_sec_context,	/* gss_export_sec_context */
-	spnego_gss_import_sec_context,	/* gss_import_sec_context */
+#ifndef LEAN_CLIENT
+	spnego_gss_export_sec_context,		/* gss_export_sec_context */
+	spnego_gss_import_sec_context,		/* gss_import_sec_context */
+#else
+	NULL,				/* gss_export_sec_context */
+	NULL,				/* gss_import_sec_context */
+#endif /* LEAN_CLIENT */
 	NULL, 				/* gss_inquire_cred_by_mech */
 	spnego_gss_inquire_names_for_mech,
 	spnego_gss_inquire_context,	/* gss_inquire_context */
@@ -1091,7 +1101,7 @@ cleanup:
 	gss_release_oid_set(&tmpmin, &mech_set);
 	return ret;
 }
-
+#ifndef LEAN_CLIENT
 /*
  * Wrap call to gss_accept_sec_context() and update state
  * accordingly.
@@ -1290,6 +1300,7 @@ cleanup:
 	}
 	return ret;
 }
+#endif /*  LEAN_CLIENT */
 
 
 /*ARGSUSED*/
@@ -1336,6 +1347,7 @@ spnego_gss_display_status(void *ctx,
 	return (GSS_S_COMPLETE);
 }
 
+
 /*ARGSUSED*/
 OM_uint32
 spnego_gss_import_name(void *ctx,
@@ -1389,6 +1401,7 @@ spnego_gss_display_name(void *ctx,
 	return (status);
 }
 
+
 /*ARGSUSED*/
 OM_uint32
 spnego_gss_inquire_names_for_mech(void *ctx,
@@ -1529,7 +1542,7 @@ spnego_gss_context_time(void *context,
 			    time_rec);
 	return (ret);
 }
-
+#ifndef LEAN_CLIENT
 OM_uint32
 spnego_gss_export_sec_context(void *context,
 			    OM_uint32	  *minor_status,
@@ -1555,6 +1568,7 @@ spnego_gss_import_sec_context(void *context,
 				    context_handle);
 	return (ret);
 }
+#endif /* LEAN_CLIENT */
 
 OM_uint32
 spnego_gss_inquire_context(void *context,
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index bf4ba35849..b792b3846a 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -1,7 +1,7 @@
 /*
  * lib/kdb/kdb_helper.c
  *
- * Copyright 1995, 2007 by the Massachusetts Institute of Technology. 
+ * Copyright 1995, 2008 by the Massachusetts Institute of Technology. 
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -144,8 +144,10 @@ krb5_def_store_mkey(krb5_context   context,
     char defkeyfile[MAXPATHLEN+1];
     char *tmp_ktname = NULL, *tmp_ktpath;
     krb5_data *realm = krb5_princ_realm(context, mname);
+#ifndef LEAN_CLIENT 
     krb5_keytab kt;
     krb5_keytab_entry new_entry;
+#endif /* LEAN_CLIENT */
     struct stat stb;
     int statrc;
 
@@ -190,6 +192,7 @@ krb5_def_store_mkey(krb5_context   context,
         goto out;
     }
 
+#ifndef LEAN_CLIENT 
     /* create new stash keytab using temp file name */
     retval = krb5_kt_resolve(context, tmp_ktname, &kt);
     if (retval != 0)
@@ -199,7 +202,7 @@ krb5_def_store_mkey(krb5_context   context,
     new_entry.principal = mname;
     new_entry.key = *key;
     new_entry.vno = kvno;
-
+#endif /* LEAN_CLIENT */
     /*
      * Set tmp_ktpath to point to the keyfile path (skip WRFILE:).  Subtracting
      * 1 to account for NULL terminator in sizeof calculation of a string
@@ -207,6 +210,7 @@ krb5_def_store_mkey(krb5_context   context,
      */
     tmp_ktpath = tmp_ktname + (sizeof("WRFILE:") - 1);
 
+#ifndef LEAN_CLIENT 
     retval = krb5_kt_add_entry(context, kt, &new_entry);
     if (retval != 0) {
         /* delete tmp keyfile if it exists and an error occurrs */
@@ -221,6 +225,7 @@ krb5_def_store_mkey(krb5_context   context,
                 tmp_ktpath, keyfile, error_message(errno));
         }
     }
+#endif /* LEAN_CLIENT */
 
 out:
     if (tmp_ktname != NULL)
@@ -309,6 +314,7 @@ krb5_db_def_fetch_mkey_stash(krb5_context   context,
     return retval;
 }
 
+#ifndef LEAN_CLIENT 
 static krb5_error_code
 krb5_db_def_fetch_mkey_keytab(krb5_context   context,
                               const char     *keyfile,
@@ -369,6 +375,7 @@ krb5_db_def_fetch_mkey_keytab(krb5_context   context,
 errout:
     return retval;
 }
+#endif /* LEAN_CLIENT */
 
 krb5_error_code
 krb5_db_def_fetch_mkey(krb5_context   context,
@@ -394,15 +401,19 @@ krb5_db_def_fetch_mkey(krb5_context   context,
     /* null terminate no matter what */
     keyfile[sizeof(keyfile) - 1] = '\0';
 
+#ifndef LEAN_CLIENT 
     /* assume the master key is in a keytab */
     retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
     if (retval_kt != 0) {
+#endif /* LEAN_CLIENT */
         /*
          * If it's not in a keytab, fall back and try getting the mkey from the
          * older stash file format.
          */
         retval_ofs = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno);
+#ifndef LEAN_CLIENT 
     }
+#endif /* LEAN_CLIENT */
 
     if (retval_kt != 0 && retval_ofs != 0) {
         /*
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 357bb12465..cd2298ba54 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/kt_file.c
  *
- * Copyright 1990,1991,1995,2007 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,1995,2007,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -25,6 +25,8 @@
  * 
  */
 
+#ifndef LEAN_CLIENT
+
 #include "k5-int.h"
 #include <stdio.h>
 
@@ -1768,3 +1770,5 @@ krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_
 
     return 0;
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c
index bf9634e53a..eb1dd77e03 100644
--- a/src/lib/krb5/keytab/kt_memory.c
+++ b/src/lib/krb5/keytab/kt_memory.c
@@ -28,6 +28,8 @@
 #include "kt-int.h"
 #include <stdio.h>
 
+#ifndef LEAN_CLIENT
+
 #define HEIMDAL_COMPATIBLE
 
 /*
@@ -674,3 +676,5 @@ const struct _krb5_kt_ops krb5_mkt_ops = {
     NULL
 };
 
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c
index 77546446e0..2bc4603454 100644
--- a/src/lib/krb5/keytab/kt_srvtab.c
+++ b/src/lib/krb5/keytab/kt_srvtab.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/srvtab/kts_resolv.c
  *
- * Copyright 1990,1991,2002,2007 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2002,2007,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -27,6 +27,8 @@
 #include "k5-int.h"
 #include <stdio.h>
 
+#ifndef LEAN_CLIENT 
+
 /*
  * Constants
  */
@@ -472,3 +474,5 @@ krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry
 
     return 0;
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/keytab/ktadd.c b/src/lib/krb5/keytab/ktadd.c
index b7c1b92164..360dd64cd7 100644
--- a/src/lib/krb5/keytab/ktadd.c
+++ b/src/lib/krb5/keytab/ktadd.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/ktadd.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -29,6 +29,8 @@
 
 #include "k5-int.h"
 
+#ifndef LEAN_CLIENT
+
 krb5_error_code KRB5_CALLCONV
 krb5_kt_add_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
 {
@@ -37,3 +39,5 @@ krb5_kt_add_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entr
     else
 	return KRB5_KT_NOWRITE;
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c
index 3e4f6a6be6..b68b351c6a 100644
--- a/src/lib/krb5/keytab/ktbase.c
+++ b/src/lib/krb5/keytab/ktbase.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/ktbase.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -53,6 +53,8 @@
 #include "k5-thread.h"
 #include "kt-int.h"
 
+#ifndef LEAN_CLIENT
+
 extern const krb5_kt_ops krb5_ktf_ops;
 extern const krb5_kt_ops krb5_ktf_writable_ops;
 extern const krb5_kt_ops krb5_kts_ops;
@@ -283,3 +285,5 @@ krb5_ser_keytab_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_keytab_ser_entry));
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/keytab/ktdefault.c b/src/lib/krb5/keytab/ktdefault.c
index 971f29f599..3d7ee0946c 100644
--- a/src/lib/krb5/keytab/ktdefault.c
+++ b/src/lib/krb5/keytab/ktdefault.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/ktdefault.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -30,6 +30,7 @@
 #include "k5-int.h"
 #include <stdio.h>
 
+#ifndef LEAN_CLIENT
 krb5_error_code KRB5_CALLCONV
 krb5_kt_default(krb5_context context, krb5_keytab *id)
 {
@@ -41,5 +42,5 @@ krb5_kt_default(krb5_context context, krb5_keytab *id)
     return krb5_kt_resolve(context, defname, id);
 }
 
-
+#endif /* LEAN_CLIENT */
 
diff --git a/src/lib/krb5/keytab/ktfns.c b/src/lib/krb5/keytab/ktfns.c
index 24d8eb267b..9239f3d167 100644
--- a/src/lib/krb5/keytab/ktfns.c
+++ b/src/lib/krb5/keytab/ktfns.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/ktfns.c
  *
- * Copyright 2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -28,6 +28,8 @@
  * Dispatch methods for keytab code.
  */
 
+#ifndef LEAN_CLIENT 
+
 #include "k5-int.h"
 
 const char * KRB5_CALLCONV
@@ -94,3 +96,5 @@ krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
 {
     return krb5_x((keytab)->ops->end_get,(context, keytab, cursor));
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/keytab/ktfr_entry.c b/src/lib/krb5/keytab/ktfr_entry.c
index b4305e21af..e046232546 100644
--- a/src/lib/krb5/keytab/ktfr_entry.c
+++ b/src/lib/krb5/keytab/ktfr_entry.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/ktfr_entry.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -26,6 +26,7 @@
  *
  * krb5_kt_free_entry()
  */
+#ifndef LEAN_CLIENT 
 
 #include "k5-int.h"
 
@@ -48,3 +49,5 @@ krb5_kt_free_entry (krb5_context context, krb5_keytab_entry *entry)
 {
     return krb5_free_keytab_entry_contents (context, entry);
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/keytab/ktremove.c b/src/lib/krb5/keytab/ktremove.c
index d101a70651..4ba6063f72 100644
--- a/src/lib/krb5/keytab/ktremove.c
+++ b/src/lib/krb5/keytab/ktremove.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/ktremove.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -26,6 +26,7 @@
  *
  * krb5_kt_remove_entry()
  */
+#ifndef LEAN_CLIENT 
 
 #include "k5-int.h"
 
@@ -37,3 +38,5 @@ krb5_kt_remove_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *e
     else
 	return KRB5_KT_NOWRITE;
 }
+#endif /* LEAN_CLIENT  */
+
diff --git a/src/lib/krb5/keytab/read_servi.c b/src/lib/krb5/keytab/read_servi.c
index 3455300ab0..6638a5a927 100644
--- a/src/lib/krb5/keytab/read_servi.c
+++ b/src/lib/krb5/keytab/read_servi.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/keytab/read_servi.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -29,6 +29,7 @@
  * It handles all of the opening and closing of the keytab 
  * internally. 
  */
+#ifndef LEAN_CLIENT 
 
 #include "k5-int.h"
 
@@ -79,3 +80,5 @@ krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_pri
 
     return (KSUCCESS);
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index cae04955ae..7e60b2d198 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/gic_keytab.c
  *
- * Copyright (C) 2002, 2003 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2002, 2003, 2008 by the Massachusetts Institute of Technology.
  * All rights reserved.
  *
  * Export of this software from the United States of America may
@@ -23,6 +23,7 @@
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
  */
+#ifndef LEAN_CLIENT 
 
 #include "k5-int.h"
 
@@ -217,3 +218,5 @@ krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
     return retval;
 }
 
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index dd3f011d9a..094eb79f5b 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -378,7 +378,6 @@ cleanup:
 		  break;
 
 	       delta = (*last_req)->value - now;
-
 	       if (delta < 3600)
 		   snprintf(banner, sizeof(banner),
 			    "Warning: Your password will expire in less than one hour on %s",
diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c
index 75edb55da4..d98411fd7a 100644
--- a/src/lib/krb5/krb/in_tkt_sky.c
+++ b/src/lib/krb5/krb/in_tkt_sky.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/in_tkt_sky.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -98,8 +98,10 @@ krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
 			       skey_keyproc, (krb5_const_pointer)key,
 			       krb5_kdc_rep_decrypt_proc, 0, creds,
 			       ccache, ret_as_reply);
+#ifndef LEAN_CLIENT 
     else 
 	return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes,
 					   pre_auth_types, NULL, ccache,
 					   creds, ret_as_reply);
+#endif /* LEAN_CLIENT */
 }
diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c
index 28f4f93641..6a479496fa 100644
--- a/src/lib/krb5/krb/rd_req.c
+++ b/src/lib/krb5/krb/rd_req.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/rd_req.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -58,14 +58,16 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
 
     if (!krb5_is_ap_req(inbuf))
 	return KRB5KRB_AP_ERR_MSG_TYPE;
+#ifndef LEAN_CLIENT 
     if ((retval = decode_krb5_ap_req(inbuf, &request))) {
     	switch (retval) {
 	case KRB5_BADMSGTYPE:
 	    return KRB5KRB_AP_ERR_BADVERSION; 
 	default:
 	    return(retval);
-	}
+	} 
     }
+#endif /* LEAN_CLIENT */
 
     /* Get an auth context if necessary. */
     new_auth_context = NULL;
@@ -89,18 +91,22 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
 	    goto cleanup_auth_context;
     }
 
+#ifndef LEAN_CLIENT 
     /* Get a keytab if necessary. */
     if (keytab == NULL) {
 	if ((retval = krb5_kt_default(context, &new_keytab)))
 	    goto cleanup_auth_context;
 	keytab = new_keytab;
     }
+#endif /* LEAN_CLIENT */
 
     retval = krb5_rd_req_decoded(context, auth_context, request, server, 
 				 keytab, ap_req_options, ticket);
 
+#ifndef LEAN_CLIENT 
     if (new_keytab != NULL)
         (void) krb5_kt_close(context, new_keytab);
+#endif /* LEAN_CLIENT */
 
 cleanup_auth_context:
     if (new_auth_context && retval) {
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index d672b8b7e9..ed707d11ed 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -87,15 +87,19 @@ krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req,
 
     enctype = req->ticket->enc_part.enctype;
 
+#ifndef LEAN_CLIENT 
     if ((retval = krb5_kt_get_entry(context, keytab, req->ticket->server,
 				    req->ticket->enc_part.kvno,
 				    enctype, &ktent)))
 	return retval;
+#endif /* LEAN_CLIENT */
 
     retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
     /* Upon error, Free keytab entry first, then return */
 
+#ifndef LEAN_CLIENT 
     (void) krb5_kt_free_entry(context, &ktent);
+#endif /* LEAN_CLIENT */
     return retval;
 }
 
diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c
index 322f1825b5..6a1fb1b498 100644
--- a/src/lib/krb5/krb/ser_ctx.c
+++ b/src/lib/krb5/krb/ser_ctx.c
@@ -62,12 +62,14 @@ static krb5_error_code krb5_oscontext_externalize
 	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_oscontext_internalize
 	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
+#ifndef LEAN_CLIENT
 krb5_error_code profile_ser_size
 	(krb5_context, krb5_pointer, size_t *);
 krb5_error_code profile_ser_externalize
 	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 krb5_error_code profile_ser_internalize
 	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
+#endif /* LEAN_CLIENT */
 
 /* Local data */
 static const krb5_ser_entry krb5_context_ser_entry = {
@@ -82,13 +84,14 @@ static const krb5_ser_entry krb5_oscontext_ser_entry = {
     krb5_oscontext_externalize,		/* Externalize routine	*/
     krb5_oscontext_internalize		/* Internalize routine	*/
 };
+#ifndef LEAN_CLIENT
 static const krb5_ser_entry krb5_profile_ser_entry = {
     PROF_MAGIC_PROFILE,			/* Type			*/
     profile_ser_size,			/* Sizer routine	*/
     profile_ser_externalize,		/* Externalize routine	*/
     profile_ser_internalize		/* Internalize routine	*/
 };
-
+#endif /* LEAN_CLIENT */
 /*
  * krb5_context_size()	- Determine the size required to externalize the
  *			  krb5_context.
@@ -610,7 +613,9 @@ krb5_ser_context_init(krb5_context kcontext)
     kret = krb5_register_serializer(kcontext, &krb5_context_ser_entry);
     if (!kret)
 	kret = krb5_register_serializer(kcontext, &krb5_oscontext_ser_entry);
+#ifndef LEAN_CLIENT
     if (!kret)
 	kret = krb5_register_serializer(kcontext, &krb5_profile_ser_entry);
+#endif /* LEAN_CLIENT */
     return(kret);
 }
diff --git a/src/lib/krb5/krb/srv_dec_tkt.c b/src/lib/krb5/krb/srv_dec_tkt.c
index e994ac9950..b5cf260f2c 100644
--- a/src/lib/krb5/krb/srv_dec_tkt.c
+++ b/src/lib/krb5/krb/srv_dec_tkt.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/srv_dec_tkt.c
  *
- * Copyright 2006 by the Massachusetts Institute of Technology.
+ * Copyright 2006, 2008 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -38,6 +38,7 @@
 
 #include <k5-int.h>
 
+#ifndef LEAN_CLIENT 
 krb5_error_code KRB5_CALLCONV
 krb5int_server_decrypt_ticket_keyblock(krb5_context context,
 				       const krb5_keyblock *key,
@@ -92,3 +93,5 @@ krb5_server_decrypt_ticket_keytab(krb5_context context,
     (void) krb5_kt_free_entry(context, &ktent);
     return retval;
 }
+#endif /* LEAN_CLIENT */
+
diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c
index e82891a57d..94187781c8 100644
--- a/src/lib/krb5/krb5_libinit.c
+++ b/src/lib/krb5/krb5_libinit.c
@@ -44,9 +44,11 @@ int krb5int_lib_init(void)
     err = krb5int_rc_finish_init();
     if (err)
 	return err;
+#ifndef LEAN_CLIENT
     err = krb5int_kt_initialize();
     if (err)
 	return err;
+#endif /* LEAN_CLIENT */
     err = krb5int_cc_initialize();
     if (err)
 	return err;
@@ -83,7 +85,9 @@ void krb5int_lib_fini(void)
     k5_mutex_destroy(&krb5int_us_time_mutex);
 
     krb5int_cc_finalize();
+#ifndef LEAN_CLIENT
     krb5int_kt_finalize();
+#endif /* LEAN_CLIENT */
     krb5int_rc_terminate();
 
 #if defined(_WIN32) || defined(USE_CCAPI)
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index c0cc495c61..1593468cd4 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -79,8 +79,14 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
 #undef SC
 
 	    S (krb5int_c_mandatory_cksumtype, krb5int_c_mandatory_cksumtype),
-	    S (krb5_ser_pack_int64, krb5_ser_pack_int64),
-	    S (krb5_ser_unpack_int64, krb5_ser_unpack_int64),
+#ifndef LEAN_CLIENT
+#define SC(FIELD, VAL)	S(FIELD, VAL)
+#else /* disable */
+#define SC(FIELD, VAL)	S(FIELD, 0)
+#endif
+	    SC (krb5_ser_pack_int64, krb5_ser_pack_int64),
+	    SC (krb5_ser_unpack_int64, krb5_ser_unpack_int64),
+#undef SC
 
 #ifdef ENABLE_LDAP
 #define SC(FIELD, VAL)	S(FIELD, VAL)