s3-kerberos: only use krb5 headers where required.

This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.

Guenther
(cherry picked from commit 60262369fc2ae19f6d9263e35b5db9b09b603a1b)

20 files changed, 245 insertions, 203 deletions

diff --git a/source/client/cifs.upcall.c b/source/client/cifs.upcall.c
index a2616f02e14..7bc370c4370 100644
--- a/source/client/cifs.upcall.c
+++ b/source/client/cifs.upcall.c
@@ -26,6 +26,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 #include <keyutils.h>
 #include <getopt.h>
 
diff --git a/source/configure.in b/source/configure.in
index 6594e7cca46..ba68a3cadeb 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -3563,10 +3563,7 @@ if test x"$with_ads_support" != x"no"; then
       samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER=no)])
 
   if test x"$samba_cv_HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER" = x"yes"; then
-    AC_DEFINE(KRB5_DEPRECATED, 1,
-	       [Whether to use deprecated krb5 interfaces])
-  else
-    AC_DEFINE(KRB5_DEPRECATED,,
+    AC_DEFINE(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER, 1,
 	       [Whether to use deprecated krb5 interfaces])
   fi
 fi
diff --git a/source/include/ads.h b/source/include/ads.h
index abff9eaa8c7..ba3db901bbb 100644
--- a/source/include/ads.h
+++ b/source/include/ads.h
@@ -339,68 +339,9 @@ typedef void **ADS_MODLIST;
 /* Kerberos environment variable names */
 #define KRB5_ENV_CCNAME "KRB5CCNAME"
 
-/* Heimdal uses a slightly different name */
-#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
-#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
-#endif
-
-/* The older versions of heimdal that don't have this
-   define don't seem to use it anyway.  I'm told they
-   always use a subkey */
-#ifndef HAVE_AP_OPTS_USE_SUBKEY
-#define AP_OPTS_USE_SUBKEY 0
-#endif
-
 #define WELL_KNOWN_GUID_COMPUTERS	"AA312825768811D1ADED00C04FD8D5CD" 
 #define WELL_KNOWN_GUID_USERS		"A9D1CA15768811D1ADED00C04FD8D5CD"
 
-#ifndef KRB5_ADDR_NETBIOS
-#define KRB5_ADDR_NETBIOS 0x14
-#endif
-
-#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
-#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
-#endif
-
-#ifdef HAVE_KRB5
-typedef struct {
-	NTSTATUS ntstatus;
-	uint32 unknown1;
-	uint32 unknown2; /* 0x00000001 */
-} KRB5_EDATA_NTSTATUS;
-
-typedef struct {
-#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
-	krb5_address **addrs;
-#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
-	krb5_addresses *addrs;
-#else
-#error UNKNOWN_KRB5_ADDRESS_TYPE
-#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
-} smb_krb5_addresses;
-
-#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
-#define KRB5_KEY_TYPE(k)	((k)->keytype)
-#define KRB5_KEY_LENGTH(k)	((k)->keyvalue.length)
-#define KRB5_KEY_DATA(k)	((k)->keyvalue.data)
-#define KRB5_KEY_DATA_CAST	void
-#else /* MIT */
-#define KRB5_KEY_TYPE(k)	((k)->enctype)
-#define KRB5_KEY_LENGTH(k)	((k)->length)
-#define KRB5_KEY_DATA(k)	((k)->contents)
-#define KRB5_KEY_DATA_CAST	krb5_octet
-#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
-
-#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY               /* MIT */
-#define KRB5_KT_KEY(k)		(&(k)->key)
-#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK          /* Heimdal */
-#define KRB5_KT_KEY(k)		(&(k)->keyblock)
-#else
-#error krb5_keytab_entry has no key or keyblock member
-#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
-
-#endif /* HAVE_KRB5 */
-
 enum ads_extended_dn_flags {
 	ADS_EXTENDED_DN_HEX_STRING	= 0,
 	ADS_EXTENDED_DN_STRING		= 1 /* not supported on win2k */
diff --git a/source/include/includes.h b/source/include/includes.h
index b97f78f31be..d4f6ffcb933 100644
--- a/source/include/includes.h
+++ b/source/include/includes.h
@@ -20,11 +20,6 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-/* work around broken krb5.h on sles9 */
-#ifdef SIZEOF_LONG
-#undef SIZEOF_LONG
-#endif
-
 #include "lib/replace/replace.h"
 
 /* make sure we have included the correct config.h */
@@ -163,9 +158,7 @@
 #endif
 #endif /* HAVE_NETGROUP */
 
-#if HAVE_KRB5_H
-#include <krb5.h>
-#else
+#ifndef HAVE_KRB5_H
 #undef HAVE_KRB5
 #endif
 
@@ -1144,135 +1137,6 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT
 #define XATTR_REPLACE 0x2       /* set value, fail if attr does not exist */
 #endif
 
-#if defined(HAVE_KRB5)
-
-krb5_error_code smb_krb5_parse_name(krb5_context context,
-				const char *name, /* in unix charset */
-                                krb5_principal *principal);
-
-krb5_error_code smb_krb5_unparse_name(krb5_context context,
-				krb5_const_principal principal,
-				char **unix_name);
-
-#ifndef HAVE_KRB5_SET_REAL_TIME
-krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
-#endif
-
-krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
-
-#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
-krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
-#endif
-
-#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
-void krb5_free_unparsed_name(krb5_context ctx, char *val);
-#endif
-
-/* Stub out initialize_krb5_error_table since it is not present in all
- * Kerberos implementations. If it's not present, it's not necessary to
- * call it.
- */
-#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
-#define initialize_krb5_error_table()
-#endif
-
-/* Samba wrapper function for krb5 functionality. */
-bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
-int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
-bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
-krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
-krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
-#if defined(HAVE_KRB5_LOCATE_KDC)
-krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
-#endif
-krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
-bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
-krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
-krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
-void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
-bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
-void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
-NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
-			 DATA_BLOB *pac_data_blob,
-			 krb5_context context,
-			 krb5_keyblock *service_keyblock,
-			 krb5_const_principal client_principal,
-			 time_t tgs_authtime,
-			 struct PAC_DATA **pac_data_out);
-void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, 
-				    struct PAC_SIGNATURE_DATA *sig);
-krb5_error_code smb_krb5_verify_checksum(krb5_context context,
-					 const krb5_keyblock *keyblock,
-					 krb5_keyusage usage,
-					 krb5_checksum *cksum,
-					 uint8 *data,
-					 size_t length);
-time_t get_authtime_from_tkt(krb5_ticket *tkt);
-void smb_krb5_free_ap_req(krb5_context context, 
-			  krb5_ap_req *ap_req);
-krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, 
-						 const krb5_data *inbuf, 
-						 krb5_kvno *kvno, 
-						 krb5_enctype *enctype);
-krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
-							krb5_auth_context *auth_context,
-							const krb5_data *inbuf,
-							krb5_const_principal server,
-							krb5_keytab keytab,
-							krb5_flags *ap_req_options,
-							krb5_ticket **ticket, 
-							krb5_keyblock **keyblock);
-krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, 
-					    const char *name, 
-					    krb5_principal *principal);
-bool smb_krb5_principal_compare_any_realm(krb5_context context, 
-					  krb5_const_principal princ1, 
-					  krb5_const_principal princ2);
-int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname, time_t *tgs_expire);
-krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
-krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
-krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
-krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
-NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
-krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
-void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
-krb5_error_code handle_krberror_packet(krb5_context context,
-                                         krb5_data *packet);
-
-void smb_krb5_get_init_creds_opt_free(krb5_context context,
-				    krb5_get_init_creds_opt *opt);
-krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
-				    krb5_get_init_creds_opt **opt);
-krb5_error_code smb_krb5_mk_error(krb5_context context,
-					krb5_error_code error_code,
-					const krb5_principal server,
-					krb5_data *reply);
-krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
-krb5_error_code smb_krb5_enctype_to_string(krb5_context context, 
- 					    krb5_enctype enctype, 
-					    char **etype_s);
-krb5_error_code smb_krb5_open_keytab(krb5_context context, 
- 				      const char *keytab_name, 
-				      bool write_access, 
-				      krb5_keytab *keytab);
-krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
-				     krb5_context context,
-				     krb5_keytab keytab,
-				     const char **keytab_name);
-int smb_krb5_kt_add_entry_ext(krb5_context context,
-			      krb5_keytab keytab,
-			      krb5_kvno kvno,
-			      const char *princ_s,
-			      krb5_enctype *enctypes,
-			      krb5_data password,
-			      bool no_salt,
-			      bool keep_old_entries);
-char *smb_krb5_principal_get_realm(krb5_context context,
-				   krb5_principal principal);
-#endif /* HAVE_KRB5 */
-
-
 #ifdef HAVE_LDAP
 
 /* function declarations not included in proto.h */
diff --git a/source/include/krb5_protos.h b/source/include/krb5_protos.h
new file mode 100644
index 00000000000..ef5c6670efe
--- /dev/null
+++ b/source/include/krb5_protos.h
@@ -0,0 +1,146 @@
+/* work around broken krb5.h on sles9 */
+#ifdef SIZEOF_LONG
+#undef SIZEOF_LONG
+#endif
+
+
+#if defined(HAVE_KRB5)
+krb5_error_code smb_krb5_parse_name(krb5_context context,
+				const char *name, /* in unix charset */
+                                krb5_principal *principal);
+
+krb5_error_code smb_krb5_unparse_name(krb5_context context,
+				      krb5_const_principal principal,
+				      char **unix_name);
+
+#ifndef HAVE_KRB5_SET_REAL_TIME
+krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
+#endif
+
+krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
+#endif
+
+#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
+void krb5_free_unparsed_name(krb5_context ctx, char *val);
+#endif
+
+/* Stub out initialize_krb5_error_table since it is not present in all
+ * Kerberos implementations. If it's not present, it's not necessary to
+ * call it.
+ */
+#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
+#define initialize_krb5_error_table()
+#endif
+
+/* Samba wrapper function for krb5 functionality. */
+bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
+int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
+bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
+krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
+krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+#if defined(HAVE_KRB5_LOCATE_KDC)
+krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
+#endif
+krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
+bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
+krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
+void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
+bool kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
+void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
+NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
+			 DATA_BLOB *pac_data_blob,
+			 krb5_context context,
+			 krb5_keyblock *service_keyblock,
+			 krb5_const_principal client_principal,
+			 time_t tgs_authtime,
+			 struct PAC_DATA **pac_data_out);
+void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
+				    struct PAC_SIGNATURE_DATA *sig);
+krb5_error_code smb_krb5_verify_checksum(krb5_context context,
+					 const krb5_keyblock *keyblock,
+					 krb5_keyusage usage,
+					 krb5_checksum *cksum,
+					 uint8 *data,
+					 size_t length);
+time_t get_authtime_from_tkt(krb5_ticket *tkt);
+void smb_krb5_free_ap_req(krb5_context context,
+			  krb5_ap_req *ap_req);
+krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
+						 const krb5_data *inbuf,
+						 krb5_kvno *kvno,
+						 krb5_enctype *enctype);
+krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
+							krb5_auth_context *auth_context,
+							const krb5_data *inbuf,
+							krb5_const_principal server,
+							krb5_keytab keytab,
+							krb5_flags *ap_req_options,
+							krb5_ticket **ticket,
+							krb5_keyblock **keyblock);
+krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
+					    const char *name,
+					    krb5_principal *principal);
+bool smb_krb5_principal_compare_any_realm(krb5_context context,
+					  krb5_const_principal princ1,
+					  krb5_const_principal princ2);
+int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+			uint32 extra_ap_opts, const char *ccname,
+			time_t *tgs_expire);
+krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
+krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
+krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
+krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
+NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
+krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
+void smb_krb5_free_error(krb5_context context, krb5_error *krberror);
+krb5_error_code handle_krberror_packet(krb5_context context,
+                                         krb5_data *packet);
+
+void smb_krb5_get_init_creds_opt_free(krb5_context context,
+				    krb5_get_init_creds_opt *opt);
+krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
+				    krb5_get_init_creds_opt **opt);
+krb5_error_code smb_krb5_mk_error(krb5_context context,
+					krb5_error_code error_code,
+					const krb5_principal server,
+					krb5_data *reply);
+krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry);
+krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
+					    krb5_enctype enctype,
+					    char **etype_s);
+krb5_error_code smb_krb5_open_keytab(krb5_context context,
+				      const char *keytab_name,
+				      bool write_access,
+				      krb5_keytab *keytab);
+krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
+				     krb5_context context,
+				     krb5_keytab keytab,
+				     const char **keytab_name);
+int smb_krb5_kt_add_entry_ext(krb5_context context,
+			      krb5_keytab keytab,
+			      krb5_kvno kvno,
+			      const char *princ_s,
+			      krb5_enctype *enctypes,
+			      krb5_data password,
+			      bool no_salt,
+			      bool keep_old_entries);
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+					 krb5_ccache ccache,
+					 krb5_principal me,
+					 krb5_principal server,
+					 krb5_principal impersonate_princ,
+					 krb5_creds **out_creds);
+krb5_error_code smb_krb5_get_creds(const char *server_s,
+				   time_t time_offset,
+				   const char *cc,
+				   const char *impersonate_princ_s,
+				   krb5_creds **creds_p);
+char *smb_krb5_principal_get_realm(krb5_context context,
+				   krb5_principal principal);
+#endif /* HAVE_KRB5 */
+
diff --git a/source/include/smb_krb5.h b/source/include/smb_krb5.h
new file mode 100644
index 00000000000..ce7acc431fa
--- /dev/null
+++ b/source/include/smb_krb5.h
@@ -0,0 +1,78 @@
+#ifndef _HEADER_smb_krb5_h
+#define _HEADER_smb_krb5_h
+
+#define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
+/* this file uses DEPRECATED interfaces! */
+
+#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
+#define KRB5_DEPRECATED 1
+#else
+#define KRB5_DEPRECATED
+#endif
+
+#if HAVE_KRB5_H
+#include <krb5.h>
+#endif
+
+#ifndef KRB5_ADDR_NETBIOS
+#define KRB5_ADDR_NETBIOS 0x14
+#endif
+
+#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
+#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
+#endif
+
+typedef struct {
+	NTSTATUS ntstatus;
+	uint32 unknown1;
+	uint32 unknown2; /* 0x00000001 */
+} KRB5_EDATA_NTSTATUS;
+
+/* Heimdal uses a slightly different name */
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
+#endif
+
+/* The older versions of heimdal that don't have this
+   define don't seem to use it anyway.  I'm told they
+   always use a subkey */
+#ifndef HAVE_AP_OPTS_USE_SUBKEY
+#define AP_OPTS_USE_SUBKEY 0
+#endif
+
+#ifdef HAVE_KRB5
+typedef struct {
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+	krb5_address **addrs;
+#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
+	krb5_addresses *addrs;
+#else
+#error UNKNOWN_KRB5_ADDRESS_TYPE
+#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
+} smb_krb5_addresses;
+
+#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
+#define KRB5_KEY_TYPE(k)	((k)->keytype)
+#define KRB5_KEY_LENGTH(k)	((k)->keyvalue.length)
+#define KRB5_KEY_DATA(k)	((k)->keyvalue.data)
+#define KRB5_KEY_DATA_CAST	void
+#else /* MIT */
+#define KRB5_KEY_TYPE(k)	((k)->enctype)
+#define KRB5_KEY_LENGTH(k)	((k)->length)
+#define KRB5_KEY_DATA(k)	((k)->contents)
+#define KRB5_KEY_DATA_CAST	krb5_octet
+#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+
+#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY               /* MIT */
+#define KRB5_KT_KEY(k)		(&(k)->key)
+#elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK          /* Heimdal */
+#define KRB5_KT_KEY(k)		(&(k)->keyblock)
+#else
+#error krb5_keytab_entry has no key or keyblock member
+#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
+
+#endif /* HAVE_KRB5 */
+
+#include "krb5_protos.h"
+
+#endif /* _HEADER_smb_krb5_h */
diff --git a/source/libads/ads_status.c b/source/libads/ads_status.c
index 29148e85439..6680766f23f 100644
--- a/source/libads/ads_status.c
+++ b/source/libads/ads_status.c
@@ -21,6 +21,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 /*
   build a ADS_STATUS structure
diff --git a/source/libads/authdata.c b/source/libads/authdata.c
index 0bde3e6984a..3ff69f49ae1 100644
--- a/source/libads/authdata.c
+++ b/source/libads/authdata.c
@@ -23,6 +23,8 @@
 */
 
 #include "includes.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c
index 1ceed64019a..f7091022e69 100644
--- a/source/libads/kerberos.c
+++ b/source/libads/kerberos.c
@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source/libads/kerberos_keytab.c b/source/libads/kerberos_keytab.c
index 7c028cb78fe..8af44b5b500 100644
--- a/source/libads/kerberos_keytab.c
+++ b/source/libads/kerberos_keytab.c
@@ -26,6 +26,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c
index de3fdeb9de6..f48a9f75c9d 100644
--- a/source/libads/kerberos_verify.c
+++ b/source/libads/kerberos_verify.c
@@ -24,6 +24,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source/libads/krb5_errs.c b/source/libads/krb5_errs.c
index 0e03ebb90dd..d4ff09a5106 100644
--- a/source/libads/krb5_errs.c
+++ b/source/libads/krb5_errs.c
@@ -18,6 +18,7 @@
  */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source/libads/krb5_setpw.c b/source/libads/krb5_setpw.c
index ad86f0c3315..a83e6c52a10 100644
--- a/source/libads/krb5_setpw.c
+++ b/source/libads/krb5_setpw.c
@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source/libnet/libnet_keytab.h b/source/libnet/libnet_keytab.h
index 4d311a48e0e..9d72f0ac075 100644
--- a/source/libnet/libnet_keytab.h
+++ b/source/libnet/libnet_keytab.h
@@ -17,6 +17,8 @@
  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
+#include "smb_krb5.h"
+
 #ifdef HAVE_KRB5
 
 struct libnet_keytab_entry {
diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index 3e076b2a6ec..136296048b2 100644
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "smb_krb5.h"
 
 static const struct {
 	int prot;
diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index 666ca086339..1b45e826a4b 100644
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -20,10 +20,8 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
-/* this file uses DEPRECATED interfaces! */
-
 #include "includes.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_KRB5
 
diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index 88bd4be98ab..b9765607492 100644
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "librpc/gen_ndr/cli_epmapper.h"
+#include "smb_krb5.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_CLI
diff --git a/source/utils/ntlm_auth.c b/source/utils/ntlm_auth.c
index 8a9ac42329a..2d29ea9b402 100644
--- a/source/utils/ntlm_auth.c
+++ b/source/utils/ntlm_auth.c
@@ -25,6 +25,7 @@
 
 #include "includes.h"
 #include "utils/ntlm_auth.h"
+#include "smb_krb5.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
diff --git a/source/winbindd/winbindd_cred_cache.c b/source/winbindd/winbindd_cred_cache.c
index ff6d0f3df76..9488a6f4f7b 100644
--- a/source/winbindd/winbindd_cred_cache.c
+++ b/source/winbindd/winbindd_cred_cache.c
@@ -23,6 +23,8 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "smb_krb5.h"
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index 646bef30fdc..51305972eef 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -24,6 +24,8 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "smb_krb5.h"
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND