libcli/auth Move krb5 wrapper functions from s3 into common

This requires a small rework of the build system to ensure that the
correct #define statements are made in both the s3 and top level
builds.  We now define the various HAVE_ macros in config.h at all
times, using heimdal_build/wscript_configure when that is in use.

Andrew Bartlett

12 files changed, 166 insertions, 299 deletions

diff --git a/lib/replace/system/kerberos.h b/lib/replace/system/kerberos.h
index a1685ad3330..bb1f1b9a094 100644
--- a/lib/replace/system/kerberos.h
+++ b/lib/replace/system/kerberos.h
@@ -28,114 +28,14 @@
 */
 
 #ifdef HAVE_KRB5
-/* Whether the krb5_address struct has a addrtype property */
-/* #undef HAVE_ADDRTYPE_IN_KRB5_ADDRESS */
-/* Whether the krb5_address struct has a addr_type property */
-#define HAVE_ADDR_TYPE_IN_KRB5_ADDRESS 1
-/* Define to 1 if you have the `gsskrb5_extract_authz_data_from_sec_context' */
-#define HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT 1
-/* Define to 1 if you have the `gsskrb5_get_initiator_subkey' function. */
-#define HAVE_GSSKRB5_GET_INITIATOR_SUBKEY 1
-/* Define to 1 if you have the `gsskrb5_register_acceptor_identity' function. */
-#define HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY 1
-/* Define to 1 if you have the `gss_krb5_ccache_name' function. */
-#define HAVE_GSS_KRB5_CCACHE_NAME 1
-/* Define to 1 if you have the `krb5_addlog_func' function. */
-#define HAVE_KRB5_ADDLOG_FUNC 1
-/* Define to 1 if you have the `krb5_auth_con_setkey' function. */
-#define HAVE_KRB5_AUTH_CON_SETKEY 1
-/* Define to 1 if you have the `krb5_auth_con_setuseruserkey' function. */
-/* #undef HAVE_KRB5_AUTH_CON_SETUSERUSERKEY */
-/* Define to 1 if you have the `krb5_c_enctype_compare' function. */
-#define HAVE_KRB5_C_ENCTYPE_COMPARE 1
-/* Define to 1 if you have the `krb5_c_verify_checksum' function. */
-#define HAVE_KRB5_C_VERIFY_CHECKSUM 1
-/* Whether the type krb5_encrypt_block exists */
-/* #undef HAVE_KRB5_ENCRYPT_BLOCK */
-/* Define to 1 if you have the `krb5_encrypt_data' function. */
-/* #undef HAVE_KRB5_ENCRYPT_DATA */
-/* Define to 1 if you have the `krb5_enctypes_compatible_keys' function. */
-#define HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS 1
-/* Define to 1 if you have the `krb5_free_data_contents' function. */
-#define HAVE_KRB5_FREE_DATA_CONTENTS 1
-/* Define to 1 if you have the `krb5_free_error_string' function. */
-/* #undef HAVE_KRB5_FREE_ERROR_STRING */
-/* Define to 1 if you have the `krb5_free_error_message' function. */
-#define HAVE_KRB5_FREE_ERROR_MESSAGE 1
-/* Define to 1 if you have the `krb5_free_keytab_entry_contents' function. */
-/* #undef HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS */
-/* Define to 1 if you have the `krb5_free_ktypes' function. */
-/* #undef HAVE_KRB5_FREE_KTYPES */
-/* Define to 1 if you have the `krb5_free_unparsed_name' function. */
-/* #undef HAVE_KRB5_FREE_UNPARSED_NAME */
-/* Define to 1 if you have the `krb5_get_default_in_tkt_etypes' function. */
-#define HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES 1
-/* Define to 1 if you have the `krb5_get_error_string' function. */
-#define HAVE_KRB5_GET_ERROR_STRING 1
-/* Define to 1 if you have the `krb5_get_error_message' function. */
-#define HAVE_KRB5_GET_ERROR_MESSAGE 1
-/* Define to 1 if you have the `krb5_get_permitted_enctypes' function. */
-/* #undef HAVE_KRB5_GET_PERMITTED_ENCTYPES */
-/* Define to 1 if you have the `krb5_get_pw_salt' function. */
-#define HAVE_KRB5_GET_PW_SALT 1
-/* Define to 1 if you have the <krb5.h> header file. */
-#define HAVE_KRB5_H 1
-/* Define to 1 if you have the `krb5_initlog' function. */
-#define HAVE_KRB5_INITLOG 1
-/* Define to 1 if you have the `krb5_kdc_default_config' function. */
-#define HAVE_KRB5_KDC_DEFAULT_CONFIG 1
-/* Whether the krb5_creds struct has a keyblock property */
-/* #undef HAVE_KRB5_KEYBLOCK_IN_CREDS */
-/* Whether the krb5_keyblock struct has a keyvalue property */
-#define HAVE_KRB5_KEYBLOCK_KEYVALUE 1
-/* Whether krb5_keytab_entry has key member */
-/* #undef HAVE_KRB5_KEYTAB_ENTRY_KEY */
-/* Whether krb5_keytab_entry has keyblock member */
-#define HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK 1
-/* Define to 1 if you have the `krb5_krbhst_get_addrinfo' function. */
-#define HAVE_KRB5_KRBHST_GET_ADDRINFO 1
-/* Define to 1 if you have the `krb5_kt_compare' function. */
-#define HAVE_KRB5_KT_COMPARE 1
-/* Define to 1 if you have the `krb5_kt_free_entry' function. */
-#define HAVE_KRB5_KT_FREE_ENTRY 1
-/* Whether the type krb5_log_facility exists */
-#define HAVE_KRB5_LOG_FACILITY 1
-/* Define to 1 if you have the `krb5_mk_req_extended' function. */
-#define HAVE_KRB5_MK_REQ_EXTENDED 1
-/* Define to 1 if you have the `krb5_principal2salt' function. */
-/* #undef HAVE_KRB5_PRINCIPAL2SALT */
-/* Define to 1 if you have the `krb5_principal_get_comp_string' function. */
-#define HAVE_KRB5_PRINCIPAL_GET_COMP_STRING 1
-/* Whether krb5_princ_component is available */
-/* #undef HAVE_KRB5_PRINC_COMPONENT */
-/* Whether the krb5_creds struct has a session property */
-#define HAVE_KRB5_SESSION_IN_CREDS 1
-/* Define to 1 if you have the `krb5_set_default_in_tkt_etypes' function. */
-#define HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES 1
-/* Define to 1 if you have the `krb5_set_default_tgs_ktypes' function. */
-/* #undef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */
-/* Define to 1 if you have the `krb5_set_real_time' function. */
-#define HAVE_KRB5_SET_REAL_TIME 1
-/* Define to 1 if you have the `krb5_set_warn_dest' function. */
-#define HAVE_KRB5_SET_WARN_DEST 1
-/* Define to 1 if you have the `krb5_string_to_key' function. */
-#define HAVE_KRB5_STRING_TO_KEY 1
-/* Define to 1 if you have the `krb5_string_to_key_salt' function. */
-#define HAVE_KRB5_STRING_TO_KEY_SALT 1
-/* Define to 1 if you have the `krb5_ticket_get_authorization_data_type' */
-#define HAVE_KRB5_TICKET_GET_AUTHORIZATION_DATA_TYPE 1
-/* Whether the krb5_ticket struct has a enc_part2 property */
-/* #undef HAVE_KRB5_TKT_ENC_PART2 */
-/* Define to 1 if you have the `krb5_use_enctype' function. */
-/* #undef HAVE_KRB5_USE_ENCTYPE */
-/* Define to 1 if you have the `krb5_verify_checksum' function. */
-#define HAVE_KRB5_VERIFY_CHECKSUM 1
-/* Whether krb5_princ_realm returns krb5_realm or krb5_data */
-#define KRB5_PRINC_REALM_RETURNS_REALM 1
 
+#if HAVE_KRB5_H
 #include <krb5.h>
-#include <com_err.h>
+#endif
 
+#if HAVE_COM_ERR_H
+#include <com_err.h>
 #endif
 
 #endif
+#endif
diff --git a/source4/auth/kerberos/clikrb5.c b/libcli/auth/krb5_wrap.c
index 3314cbc5910..48f50ec02ee 100644
--- a/source4/auth/kerberos/clikrb5.c
+++ b/libcli/auth/krb5_wrap.c
@@ -1,40 +1,38 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
    simple kerberos5 routines for active directory
    Copyright (C) Andrew Tridgell 2001
    Copyright (C) Luke Howard 2002-2003
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-  
+   Copyright (C) Guenther Deschner 2005-2009
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
-#include "system/network.h"
-#include "system/kerberos.h"
-#include "system/time.h"
-#include "auth/kerberos/kerberos.h"
+#include "libcli/auth/krb5_wrap.h"
 
 #ifdef HAVE_KRB5
 
 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
- int create_kerberos_key_from_string(krb5_context context,
-					krb5_principal host_princ,
-					krb5_data *password,
-					krb5_keyblock *key,
-					krb5_enctype enctype)
+int create_kerberos_key_from_string_direct(krb5_context context,
+						  krb5_principal host_princ,
+						  krb5_data *password,
+						  krb5_keyblock *key,
+						  krb5_enctype enctype)
 {
-	int ret;
+	int ret = 0;
 	krb5_data salt;
 	krb5_encrypt_block eblock;
 
@@ -46,14 +44,15 @@
 	krb5_use_enctype(context, &eblock, enctype);
 	ret = krb5_string_to_key(context, &eblock, key, password, &salt);
 	SAFE_FREE(salt.data);
+
 	return ret;
 }
 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
- int create_kerberos_key_from_string(krb5_context context,
-					krb5_principal host_princ,
-					krb5_data *password,
-					krb5_keyblock *key,
-					krb5_enctype enctype)
+int create_kerberos_key_from_string_direct(krb5_context context,
+						  krb5_principal host_princ,
+						  krb5_data *password,
+						  krb5_keyblock *key,
+						  krb5_enctype enctype)
 {
 	int ret;
 	krb5_salt salt;
@@ -63,9 +62,10 @@
 		DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
 		return ret;
 	}
-	ret = krb5_string_to_key_salt(context, enctype, password->data,
-				      salt, key);
+
+	ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
 	krb5_free_salt(context, salt);
+
 	return ret;
 }
 #else
@@ -74,27 +74,39 @@
 
  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
 {
+#if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
 	if (pdata->data) {
-		krb5_data_free(pdata);
+		krb5_free_data_contents(context, pdata);
 	}
+#elif defined(HAVE_KRB5_DATA_FREE)
+	krb5_data_free(context, pdata);
+#else
+	SAFE_FREE(pdata->data);
+#endif
 }
 
+
  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
 {
-#if defined(HAVE_KRB5_KT_FREE_ENTRY)
-	return krb5_kt_free_entry(context, kt_entry);
-#elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
+/* Try krb5_free_keytab_entry_contents first, since
+ * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and
+ * krb5_kt_free_entry but only has a prototype for the first, while the
+ * second is considered private.
+ */
+#if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
 	return krb5_free_keytab_entry_contents(context, kt_entry);
+#elif defined(HAVE_KRB5_KT_FREE_ENTRY)
+	return krb5_kt_free_entry(context, kt_entry);
 #else
 #error UNKNOWN_KT_FREE_FUNCTION
 #endif
 }
 
- char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx) 
+ char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
 {
 	char *ret;
-	
-#if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE) 	
+
+#if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE)
 	const char *context_error = krb5_get_error_message(context, code);
 	if (context_error) {
 		ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h
new file mode 100644
index 00000000000..e608efe58c9
--- /dev/null
+++ b/libcli/auth/krb5_wrap.h
@@ -0,0 +1,32 @@
+/*
+   Unix SMB/CIFS implementation.
+   simple kerberos5 routines for active directory
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Luke Howard 2002-2003
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
+   Copyright (C) Guenther Deschner 2005-2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "system/kerberos.h"
+
+int create_kerberos_key_from_string_direct(krb5_context context,
+						  krb5_principal host_princ,
+						  krb5_data *password,
+						  krb5_keyblock *key,
+					   krb5_enctype enctype);
+void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
+krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 436ca61b7fd..6f5483f48b9 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -2,7 +2,7 @@
 
 bld.SAMBA_LIBRARY('cliauth',
                   source='',
-                  deps='NTLMSSP_COMMON MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE',
+                  deps='NTLMSSP_COMMON MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE KRB5_WRAP',
                   private_library=True,
                   grouping_library=True)
 
@@ -38,3 +38,7 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
 bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
                     source='spnego_parse.c',
                     deps='asn1util')
+
+bld.SAMBA_SUBSYSTEM('KRB5_WRAP',
+                    source='krb5_wrap.c',
+                    deps='krb5')
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 0e748054175..e754a43270f 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -576,7 +576,7 @@ SCHANNEL_OBJ = ../libcli/auth/credentials.o \
 	       $(LIBNDR_SCHANNEL_OBJ)
 
 LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
-	     libsmb/clikrb5.o libsmb/clispnego.o \
+	     libsmb/clikrb5.o ../libcli/auth/krb5_wrap.o libsmb/clispnego.o \
 	     ../libcli/auth/spnego_parse.o \
 	     ../lib/util/asn1.o \
 	     libsmb/clirap.o libsmb/clierror.o libsmb/climessage.o \
@@ -1476,7 +1476,7 @@ TDBTORTURE_OBJ = @tdbdir@/tools/tdbtorture.o $(LIBREPLACE_OBJ) \
 NTLM_AUTH_OBJ1 = utils/ntlm_auth.o utils/ntlm_auth_diagnostics.o
 
 NTLM_AUTH_OBJ = ${NTLM_AUTH_OBJ1} $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \
-		../lib/util/asn1.o ../libcli/auth/spnego_parse.o libsmb/clikrb5.o libads/kerberos.o \
+		../lib/util/asn1.o ../libcli/auth/spnego_parse.o libsmb/clikrb5.o ../libcli/auth/krb5_wrap.o libads/kerberos.o \
 		libsmb/samlogon_cache.o \
 		$(LIBADS_SERVER_OBJ) \
 		$(PASSDB_OBJ) $(LIBTSOCKET_OBJ) $(GROUPDB_OBJ) \
diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
index adbb0debc38..042b7ebe40f 100644
--- a/source3/include/smb_krb5.h
+++ b/source3/include/smb_krb5.h
@@ -10,9 +10,7 @@
 #define KRB5_DEPRECATED
 #endif
 
-#if HAVE_KRB5_H
-#include <krb5.h>
-#endif
+#include "libcli/auth/krb5_wrap.h"
 
 #if HAVE_GSSAPI_GSSAPI_H
 #include <gssapi/gssapi.h>
@@ -22,10 +20,6 @@
 #include <gssapi.h>
 #endif
 
-#if HAVE_COM_ERR_H
-#include <com_err.h>
-#endif
-
 #ifndef KRB5_ADDR_NETBIOS
 #define KRB5_ADDR_NETBIOS 0x14
 #endif
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 5e1f7049211..b341ff4be6c 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -223,53 +223,6 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
 #error UNKNOWN_ADDRTYPE
 #endif
 
-#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
-static int create_kerberos_key_from_string_direct(krb5_context context,
-						  krb5_principal host_princ,
-						  krb5_data *password,
-						  krb5_keyblock *key,
-						  krb5_enctype enctype)
-{
-	int ret = 0;
-	krb5_data salt;
-	krb5_encrypt_block eblock;
-
-	ret = krb5_principal2salt(context, host_princ, &salt);
-	if (ret) {
-		DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
-		return ret;
-	}
-	krb5_use_enctype(context, &eblock, enctype);
-	ret = krb5_string_to_key(context, &eblock, key, password, &salt);
-	SAFE_FREE(salt.data);
-
-	return ret;
-}
-#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
-static int create_kerberos_key_from_string_direct(krb5_context context,
-						  krb5_principal host_princ,
-						  krb5_data *password,
-						  krb5_keyblock *key,
-						  krb5_enctype enctype)
-{
-	int ret;
-	krb5_salt salt;
-
-	ret = krb5_get_pw_salt(context, host_princ, &salt);
-	if (ret) {
-		DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
-		return ret;
-	}
-
-	ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
-	krb5_free_salt(context, salt);
-
-	return ret;
-}
-#else
-#error UNKNOWN_CREATE_KEY_FUNCTIONS
-#endif
-
  int create_kerberos_key_from_string(krb5_context context,
 					krb5_principal host_princ,
 					krb5_data *password,
@@ -584,17 +537,6 @@ bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_
 }
 #endif
 
- void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
-{
-#if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
-	if (pdata->data) {
-		krb5_free_data_contents(context, pdata);
-	}
-#else
-	SAFE_FREE(pdata->data);
-#endif
-}
-
  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 {
 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
@@ -1068,22 +1010,6 @@ done:
 }
 #endif
 
- krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
-{
-/* Try krb5_free_keytab_entry_contents first, since 
- * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and 
- * krb5_kt_free_entry but only has a prototype for the first, while the 
- * second is considered private. 
- */
-#if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
-	return krb5_free_keytab_entry_contents(context, kt_entry);
-#elif defined(HAVE_KRB5_KT_FREE_ENTRY)
-	return krb5_kt_free_entry(context, kt_entry);
-#else
-#error UNKNOWN_KT_FREE_FUNCTION
-#endif
-}
-
  void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
 				     struct PAC_SIGNATURE_DATA *sig)
 {
diff --git a/source3/wscript b/source3/wscript
index cf96b39107e..ffcecca195d 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -799,83 +799,7 @@ return krb5_kt_resolve(context, "WRFILE:api", &keytab);
         'HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER', addmain=False,
         link=False,
         msg="Checking for KRB5_DEPRECATED define taking an identifier")
-    elif conf.env.toplevel_build:
-        # setup the right defines for a in-tree heimdal build
-        Logs.info("Using in-tree heimdal kerberos defines")
-        conf.define('HAVE_GSSAPI', 1)
-        conf.define('HAVE_GSSAPI_GSSAPI_H', 1)
-        conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
-        conf.define('HAVE_KRB5_ADDRESSES', 1)
-        conf.define('HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK', 1)
-        conf.define('HAVE_KRB5_SET_REAL_TIME', 1)
-        conf.define('HAVE_COM_ERR_H', 1)
-        conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
-        conf.define('HAVE_GSS_DISPLAY_STATUS', 1)
-        conf.define('HAVE_LIBGSSAPI', 1)
-        conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
-        conf.define('HAVE_CHECKSUM_IN_KRB5_CHECKSUM', 1)
-        conf.define('HAVE_DECL_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE', 0)
-        conf.define('HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER', 0)
-        conf.define('HAVE_E_DATA_POINTER_IN_KRB5_ERROR', 1)
-        conf.define('HAVE_INITIALIZE_KRB5_ERROR_TABLE', 1)
-        conf.define('HAVE_KRB5_ADDRESSES', 1)
-        conf.define('HAVE_KRB5_AUTH_CON_SETKEY', 1)
-        conf.define('HAVE_KRB5_CRYPTO', 1)
-        conf.define('HAVE_KRB5_CRYPTO_DESTROY', 1)
-        conf.define('HAVE_KRB5_CRYPTO_INIT', 1)
-        conf.define('HAVE_KRB5_C_ENCTYPE_COMPARE', 1)
-        conf.define('HAVE_KRB5_C_VERIFY_CHECKSUM', 1)
-        conf.define('HAVE_FREE_AP_REQ', 1)
-        conf.define('HAVE_KRB5_DECODE_AP_REQ', 1)
-        conf.define('HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS', 1)
-        conf.define('HAVE_KRB5_ENCTYPE_TO_STRING', 1)
-        conf.define('HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG', 1)
-        conf.define('HAVE_KRB5_FREE_ERROR_CONTENTS', 1)
-        conf.define('HAVE_KRB5_FREE_HOST_REALM', 1)
-        conf.define('HAVE_KRB5_FWD_TGT_CREDS', 1)
-        conf.define('HAVE_KRB5_GET_CREDS', 1)
-        conf.define('HAVE_KRB5_GET_CREDS_OPT_ALLOC', 1)
-        conf.define('HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE', 1)
-        conf.define('HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES', 1)
-        conf.define('HAVE_KRB5_GET_HOST_REALM', 1)
-        conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC', 1)
-        conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_FREE', 1)
-        conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR', 1)
-        conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST', 1)
-        conf.define('HAVE_KRB5_GET_KDC_CRED', 1)
-        conf.define('HAVE_KRB5_GET_PW_SALT', 1)
-        conf.define('HAVE_KRB5_GET_RENEWED_CREDS', 1)
-        conf.define('HAVE_KRB5_KEYBLOCK_KEYVALUE', 1)
-        conf.define('HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK', 1)
-        conf.define('HAVE_KRB5_KRBHST_GET_ADDRINFO', 1)
-        conf.define('HAVE_KRB5_KRBHST_INIT', 1)
-        conf.define('HAVE_KRB5_KT_COMPARE', 1)
-        conf.define('HAVE_KRB5_KT_FREE_ENTRY', 1)
-        conf.define('HAVE_KRB5_KU_OTHER_CKSUM', 1)
-        conf.define('HAVE_KRB5_LOCATE_PLUGIN_H', 1)
-        conf.define('HAVE_KRB5_MK_REQ_EXTENDED', 1)
-        conf.define('HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM', 1)
-        conf.define('HAVE_KRB5_PRINCIPAL_GET_COMP_STRING', 1)
-        conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
-        conf.define('HAVE_KRB5_REALM_TYPE', 1)
-        conf.define('HAVE_KRB5_SESSION_IN_CREDS', 1)
-        conf.define('HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES', 1)
-        conf.define('HAVE_KRB5_SET_REAL_TIME', 1)
-        conf.define('HAVE_KRB5_STRING_TO_KEY', 1)
-        conf.define('HAVE_KRB5_STRING_TO_KEY_SALT', 1)
-        conf.define('HAVE_KRB5_VERIFY_CHECKSUM', 1)
-        conf.define('HAVE_LIBKRB5', 1)
-        conf.define('KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT', 1)
-        conf.define('KRB5_VERIFY_CHECKSUM_ARGS', 6)
-        conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1)
-        conf.define('KRB5_PRINC_REALM_RETURNS_REALM', 1)
-        conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
-        conf.define('HAVE_KRB5_H', 1)
-        conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
-        conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
-        conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
-        conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC', 1)
-    else:
+    elif not conf.env.toplevel_build:
         conf.SET_TARGET_TYPE('krb5', 'EMPTY')
         conf.SET_TARGET_TYPE('gssapi', 'EMPTY')
         conf.SET_TARGET_TYPE('gssapi_krb5', 'EMPTY')
diff --git a/source3/wscript_build b/source3/wscript_build
index 24939c40040..0b924cad4db 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -775,7 +775,7 @@ bld.SAMBA3_SUBSYSTEM('POPT_SAMBA3',
 
 bld.SAMBA3_SUBSYSTEM('KRBCLIENT',
                     source=KRBCLIENT_SRC,
-                    public_deps='krb5 k5crypto com_err gssapi gssapi_krb5',
+                    public_deps='KRB5_WRAP krb5 k5crypto com_err gssapi gssapi_krb5',
                     vars=locals())
 
 bld.SAMBA3_LIBRARY('samba3core',
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index c5079123ef8..9ac226390ac 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -542,8 +542,8 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
 
 		ZERO_STRUCT(entry);
 
-		ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, 
-						      salt_princ, &password, &entry.keyblock, enctypes[i]);
+		ret = create_kerberos_key_from_string_direct(smb_krb5_context->krb5_context,
+							     salt_princ, &password, &entry.keyblock, enctypes[i]);
 		if (ret != 0) {
 			return ret;
 		}
diff --git a/source4/auth/kerberos/wscript_build b/source4/auth/kerberos/wscript_build
index 1b4804e7ccf..586366d4226 100644
--- a/source4/auth/kerberos/wscript_build
+++ b/source4/auth/kerberos/wscript_build
@@ -1,10 +1,10 @@
 #!/usr/bin/env python
 
 bld.SAMBA_LIBRARY('authkrb5',
-                  source='kerberos.c clikrb5.c kerberos_heimdal.c kerberos_pac.c gssapi_parse.c krb5_init_context.c keytab_copy.c',
+                  source='kerberos.c kerberos_heimdal.c kerberos_pac.c gssapi_parse.c krb5_init_context.c keytab_copy.c',
                   autoproto='proto.h',
                   public_deps='krb5 ndr-krb5pac samba_socket LIBCLI_RESOLVE com_err asn1',
-                  deps='asn1util auth_sam_reply tevent LIBPACKET ndr ldb',
+                  deps='asn1util auth_sam_reply tevent LIBPACKET ndr ldb KRB5_WRAP',
                   private_library=True
                   )
 
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 29def8bcaa5..2e8896cdb5d 100644
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -70,6 +70,81 @@ conf.CHECK_STRUCTURE_MEMBER('DIR', 'dd_fd', define='HAVE_DIR_DD_FD',  headers='d
 
 conf.DEFINE('SAMBA4_INTERNAL_HEIMDAL', 1)
 
+# setup the right defines for a in-tree heimdal build
+Logs.info("Using in-tree heimdal kerberos defines")
+conf.define('HAVE_GSSAPI_GSSAPI_H', 1)
+conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
+conf.define('HAVE_KRB5_ADDRESSES', 1)
+conf.define('HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK', 1)
+conf.define('HAVE_KRB5_SET_REAL_TIME', 1)
+conf.define('HAVE_COM_ERR_H', 1)
+conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
+conf.define('HAVE_GSS_DISPLAY_STATUS', 1)
+conf.define('HAVE_LIBGSSAPI', 1)
+conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
+conf.define('HAVE_CHECKSUM_IN_KRB5_CHECKSUM', 1)
+conf.define('HAVE_DECL_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE', 0)
+conf.define('HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER', 0)
+conf.define('HAVE_E_DATA_POINTER_IN_KRB5_ERROR', 1)
+conf.define('HAVE_INITIALIZE_KRB5_ERROR_TABLE', 1)
+conf.define('HAVE_KRB5_ADDRESSES', 1)
+conf.define('HAVE_KRB5_AUTH_CON_SETKEY', 1)
+conf.define('HAVE_KRB5_CRYPTO', 1)
+conf.define('HAVE_KRB5_CRYPTO_DESTROY', 1)
+conf.define('HAVE_KRB5_CRYPTO_INIT', 1)
+conf.define('HAVE_KRB5_C_ENCTYPE_COMPARE', 1)
+conf.define('HAVE_KRB5_C_VERIFY_CHECKSUM', 1)
+conf.define('HAVE_FREE_AP_REQ', 1)
+conf.define('HAVE_KRB5_DECODE_AP_REQ', 1)
+conf.define('HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS', 1)
+conf.define('HAVE_KRB5_ENCTYPE_TO_STRING', 1)
+conf.define('HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG', 1)
+conf.define('HAVE_KRB5_FREE_ERROR_CONTENTS', 1)
+conf.define('HAVE_KRB5_FREE_HOST_REALM', 1)
+conf.define('HAVE_KRB5_FWD_TGT_CREDS', 1)
+conf.define('HAVE_KRB5_GET_CREDS', 1)
+conf.define('HAVE_KRB5_GET_CREDS_OPT_ALLOC', 1)
+conf.define('HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE', 1)
+conf.define('HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES', 1)
+conf.define('HAVE_KRB5_GET_HOST_REALM', 1)
+conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC', 1)
+conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_FREE', 1)
+conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR', 1)
+conf.define('HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST', 1)
+conf.define('HAVE_KRB5_GET_KDC_CRED', 1)
+conf.define('HAVE_KRB5_GET_PW_SALT', 1)
+conf.define('HAVE_KRB5_GET_RENEWED_CREDS', 1)
+conf.define('HAVE_KRB5_KEYBLOCK_KEYVALUE', 1)
+conf.define('HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK', 1)
+conf.define('HAVE_KRB5_KRBHST_GET_ADDRINFO', 1)
+conf.define('HAVE_KRB5_KRBHST_INIT', 1)
+conf.define('HAVE_KRB5_KT_COMPARE', 1)
+conf.define('HAVE_KRB5_KT_FREE_ENTRY', 1)
+conf.define('HAVE_KRB5_KU_OTHER_CKSUM', 1)
+conf.define('HAVE_KRB5_LOCATE_PLUGIN_H', 1)
+conf.define('HAVE_KRB5_MK_REQ_EXTENDED', 1)
+conf.define('HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM', 1)
+conf.define('HAVE_KRB5_PRINCIPAL_GET_COMP_STRING', 1)
+conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
+conf.define('HAVE_KRB5_REALM_TYPE', 1)
+conf.define('HAVE_KRB5_SESSION_IN_CREDS', 1)
+conf.define('HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES', 1)
+conf.define('HAVE_KRB5_SET_REAL_TIME', 1)
+conf.define('HAVE_KRB5_STRING_TO_KEY', 1)
+conf.define('HAVE_KRB5_STRING_TO_KEY_SALT', 1)
+conf.define('HAVE_KRB5_VERIFY_CHECKSUM', 1)
+conf.define('HAVE_LIBKRB5', 1)
+conf.define('KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT', 1)
+conf.define('KRB5_VERIFY_CHECKSUM_ARGS', 6)
+conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1)
+conf.define('KRB5_PRINC_REALM_RETURNS_REALM', 1)
+conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
+conf.define('HAVE_KRB5_H', 1)
+conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
+conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
+conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
+conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC', 1)
+
 if conf.CHECK_BUNDLED_SYSTEM('com_err', checkfunctions='com_right_r com_err', headers='com_err.h'):
     conf.define('USING_SYSTEM_COM_ERR', 1)