HEIMDAL: move code from source4/heimdal* to third_party/heimdal*

This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184

17 files changed, 1418 insertions, 0 deletions

diff --git a/third_party/heimdal/tools/Makefile.am b/third_party/heimdal/tools/Makefile.am
new file mode 100644
index 00000000000..7c50e464058
--- /dev/null
+++ b/third_party/heimdal/tools/Makefile.am
@@ -0,0 +1,65 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+bin_SCRIPTS = krb5-config
+
+pkgconfigdir = $(libdir)/pkgconfig
+
+pkgconfig_DATA = \
+	heimdal-gssapi.pc \
+	heimdal-krb5.pc \
+	heimdal-kadm-client.pc \
+	heimdal-kadm-server.pc \
+	kafs.pc \
+	kadm-client.pc \
+	kadm-server.pc \
+	krb5.pc \
+	krb5-gssapi.pc
+
+man_MANS = krb5-config.1
+
+if PKINIT
+LIB_pkinit = -lhx509
+endif
+
+subst = sed	-e "s!@PACKAGE\@!$(PACKAGE)!g" \
+		-e "s!@VERSION\@!$(VERSION)!g" \
+		-e "s!@CANONICAL_HOST\@!$(CANONICAL_HOST)!g" \
+		-e "s!@prefix\@!$(prefix)!g" \
+		-e "s!@exec_prefix\@!$(exec_prefix)!g" \
+		-e "s!@libdir\@!$(libdir)!g" \
+		-e "s!@includedir\@!$(includedir)!g" \
+		-e "s!@PTHREAD_LIBADD\@!$(PTHREAD_LIBADD)!g" \
+		-e "s!@LIB_crypt\@!$(LIB_crypt)!g" \
+		-e "s!@LIB_dbopen\@!$(LIB_dbopen)!g" \
+		-e "s!@LIB_hcrypto_appl\@!$(LIB_hcrypto_appl)!g" \
+		-e "s!@LIB_dlopen\@!$(LIB_dlopen)!g" \
+		-e "s!@LIB_door_create\@!$(LIB_door_create)!g" \
+		-e "s!@LIB_pkinit\@!$(LIB_pkinit)!g" \
+		-e "s!@LIBS\@!$(LIBS)!g"
+
+krb5-config: krb5-config.in
+	$(subst) $(srcdir)/krb5-config.in | /bin/sh > $@.new
+	mv $@.new $@
+	chmod +x $@
+
+.pc.in.pc:
+	$(subst) $< > $@.new
+	mv $@.new $@
+
+EXTRA_DIST = \
+	NTMakefile \
+	cov.sh \
+	$(man_MANS) \
+	krb5-config.in \
+	heimdal-gssapi.pc.in \
+	kdc-log-analyze.pl \
+	$(pkgconfig_DATA:.pc=.pc.in)
+
+CLEANFILES = \
+	krb5-config \
+	krb5-config.new \
+	$(pkgconfig_DATA) \
+	$(pkgconfig_DATA:.pc=.pc.new)
+
diff --git a/third_party/heimdal/tools/NTMakefile b/third_party/heimdal/tools/NTMakefile
new file mode 100644
index 00000000000..e4b34668d5b
--- /dev/null
+++ b/third_party/heimdal/tools/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+# - Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+# 
+# - Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+# 
+
+RELDIR=tools 
+
+!include ../windows/NTMakefile.w32 
+
diff --git a/third_party/heimdal/tools/cov.sh b/third_party/heimdal/tools/cov.sh
new file mode 100644
index 00000000000..8ceba2d2106
--- /dev/null
+++ b/third_party/heimdal/tools/cov.sh
@@ -0,0 +1,19 @@
+
+d="lib/roken lib/krb5 lib/gssapi lib/ntlm tests/kdc tests/gss kuser"
+
+basedir=$(basedir $0)
+
+${basedir}/../configure CFLAGS='-fprofile-arcs -ftest-coverage' > log
+
+lcov --directory . --zerocounters
+
+make all check > log
+
+lcov --directory . --capture --output-file heimdal-lcov.info
+
+objdir="/Volumes/data/Users/lha/obj/hg"
+srcdir="/Volumes/data/Users/lha/src/heimdal/git"
+
+perl -pi -e "s@SF:$objdir/(.*.[ly])\$@SF:$srcdir/\$1@" heimdal-lcov.info
+
+genhtml heimdal-lcov.info
diff --git a/third_party/heimdal/tools/coveralls-tool b/third_party/heimdal/tools/coveralls-tool
new file mode 100755
index 00000000000..981bd1757be
--- /dev/null
+++ b/third_party/heimdal/tools/coveralls-tool
@@ -0,0 +1,277 @@
+#!/bin/bash
+
+# This script collates gcov data after one has configured with --enable-gcov,
+# built, and run tests.  It either outputs or POSTs to Coveralls a JSON text in
+# the schema for the Coveralls API, which is documented here:
+#
+# https://docs.coveralls.io/api-introduction
+# https://docs.coveralls.io/api-reference
+#
+# Currently only files in source languages supported by gcov(1) are reported
+# on, though this can easily be extended.  Currently that's only C/C++ files.
+#
+# This script is specifically written for Heimdal, which is an open source C
+# codebases that uses autoconf and libtool for its build system.  This means
+# that sometimes the gcov notes and data files are not necessarily where the
+# gcov(1) utility would find them, which is why this script exists instead of
+# using some other integration script.
+#
+# Although this is specific to Heimdal, it can be extended.
+#
+# Note that one side effect of running this script, gcov(1) will be run for all
+# C/C++ source files in the workspace.  As well, some gcov notes and data files
+# maybe hard-linked to other names.  However, this script should be idempotent.
+
+set -euo pipefail
+set +o noglob
+
+PROG=${0##*/}
+
+job=${TRAVIS_JOB_ID:-}
+out=
+post=false
+repo=
+flst=
+quiet=false
+branch=
+srcdir=$PWD
+objdir=
+token=${COVERALLS_REPO_TOKEN:-}
+origin=
+verbose=0
+
+function usage {
+    ((${1:-1})) && exec 1>&2
+    cat <<EOF
+Usage: $PROG [OPTIONS]
+    Options:
+
+     -q         Quiet.  Do not even emit warnings.
+     -v         Verbose (on stderr).  May be given multiple times.
+     -o -       Output to stdout instead of POSTing to Coveralls.
+     -o FILE    Output to FILE   instead of POSTing to Coveralls.
+     -s CI-NAME Name of CI (e.g., "travis-ci")
+                Defaults to travis-ci.
+     -t TOKEN   Token for Coveralls.
+                Defaults to \$COVERALLS_REPO_TOKEN.
+     -b BRANCH  Name of branch the report is for.
+                Defaults to \$TRAVIS_BRANCH or currently-checked out branch in
+                SRCDIR.
+     -J ID      Job ID (e.g., Travis-CI job ID)
+                Defaults to \${TRAVIS_JOB_ID}.
+     -i FILE    Lists source files to run gcov(1) against
+                Defaults to \<(git ls-files -- '*.c' '*.cpp').
+     -S SRCDIR  Path to workspace
+                Defaults to \${PWD}.
+     -O OBJDIR  Path to object directory if workspace is built out of tree
+                Defaults to SRCDIR.
+     -U ORIGIN  Name of origin.
+                Defaults to tracked upstream remote of BRANCH.
+     -R URI     Repository URI
+                Defaults to git@github.com:\${TRAVIS_REPO_SLUG} or the push URI
+                for the ORIGIN remote of the workspace at SRCDIR.
+
+    $PROG will look for .gcno and .gcda files in OBJDIR for source files
+    in the workspace at SRCDIR and will run gcov on them, and produce
+    a request body as JSON in FILE (or stdout if -o FILE not given)
+    for the Coveralls API.
+
+    If -o FILE is not given, then $PROG will POST the JSON to Coveralls.
+    If -o FILE is given, then $PROG will not POST it to Coveralls.
+
+    If SRCDIR == OBJDIR == \$PWD, then -S and -O need not be given.
+    If running in a Travis-CI build, -J, -R, and -b need not be given, and -t
+    should not be given -- instead you should set a secret COVERALLS_REPO_TOKEN
+    environment variable in your project's Travis-CI's settings.
+
+    Only C and C++ source files are reported on.  E.g., Yacc/Bison/Flex
+    source files are not reported.
+
+    The resulting JSON output is or can be POSTed to Coveralls with:
+
+      $ curl -sfg -X POST -F "json_file=@\${FILE}" -F "Filename=json_file" \\
+             https://coveralls.io/api/v1/jobs
+EOF
+    exit ${1:-1}
+}
+
+while getopts +:J:O:R:S:U:b:hi:o:qs:t:vx opt; do
+case "$opt" in
+J) job=$OPTARG;;
+O) cd "$OPTARG"; objdir=$PWD; cd "$OLDPWD";;
+R) repo=$OPTARG;;
+S) cd "$OPTARG"; srcdir=$PWD; cd "$OLDPWD";;
+U) origin=$OPTARG;;
+b) branch=;;
+h) usage 0;;
+i) flst=$OPTARG;;
+o) out=$OPTARG;;
+q) quiet=true; verbose=0;;
+s) ci=$OPTARG;;
+t) token=$OPTARG;;
+v) quiet=false; ((verbose++)) || true; ((verbose > 3)) && set -vx;;
+*) usage 1;;
+esac
+done
+
+# Note: we don't cd to $srcdir or $objdir or anywhere, so if $out is a relative
+# path, we do the right thing.
+
+: ${objdir:=${srcdir}}
+: ${branch:=${TRAVIS_BRANCH:-$(cd "$srcdir" && git rev-parse --abbrev-ref HEAD)}}
+
+if [[ -z ${origin:-} ]]; then
+    origin=$(
+        git for-each-ref \
+            --format="%(refname:short) %(upstream:remotename)" refs/heads |
+            while read gb gr; do
+                [[ $gb = $branch ]] || continue
+                printf '%s\n' "$gr"
+                break
+            done
+    )
+fi
+
+if [[ -z ${repo:-} ]]; then
+    if [[ -n ${TRAVIS_REPO_SLUG:-} ]]; then
+        repo=git@github.com:${TRAVIS_REPO_SLUG:-heimdal/heimdal}
+    else
+        repo=$(cd "$srcdir" && git remote get-url --push "$origin")
+    fi
+fi
+
+if ((verbose > 1)); then
+    exec 3>&2
+else
+    exec 3>/dev/null
+fi
+
+d=
+function cleanup {
+    [[ -n $d ]] && rm -rf "$d"
+}
+
+trap cleanup EXIT
+d=$(mktemp -d)
+touch "${d}/f"
+
+declare -a gcov
+
+(cd "$srcdir" &&
+ if [[ -n $flst ]]; then cat "$flst"; else git ls-files -- '*.c' '*.cpp'; fi) |
+while read f; do
+    # Remember to be careful to refer to ${srcdir}/${f}
+    ((verbose)) && printf 'Processing: %s\n' "$f" 1>&2
+
+    dir=${f%/*}
+    base=${f##*/}
+    base=${base%.*}
+
+    if [[ ! -f ${objdir}/${dir}/.libs/${base}.gcda && ! -f ${objdir}/${dir}/${base}.gcda ]]; then
+        # Look for .libs/libfoo_la-${base}.gcda -- we don't know "foo", and
+        # there may be more than one!
+        gcda=
+        for gcda in ${objdir}/${dir}/.libs/*_la-${base}.gcda; do
+            break
+        done
+        gcno=
+        for gcno in ${objdir}/${dir}/.libs/*_la-${base}.gcno; do
+            break
+        done
+        [[ -n $gcno && -f $gcno ]] && ln -f "$gcno" "${objdir}/${dir}/.libs/${base}.gcno"
+        [[ -n $gcda && -f $gcda ]] && ln -f "$gcda" "${objdir}/${dir}/.libs/${base}.gcda"
+        if [[ ( -n $gcda && ! -f $gcda ) || ( -n $gcno && ! -f $gcno ) ]]; then
+            $quiet || printf 'Warning: %s has no gcov notes file\n' "$f" 1>&2
+            continue
+        fi
+    fi
+
+    if [[ -f ${objdir}/${dir}/.libs/${base}.gcda ]]; then
+        ((verbose > 1)) && printf 'Running gcov for %s using gcda from .libs\n' "$f" 1>&2
+        if ! (cd "${objdir}/${f%/*}"; ((verbose > 2)) && set -vx; gcov -o .libs "${f##*/}") 1>&3; then
+            $quiet || printf 'Warning: gcov failed for %s\n' "$f" 1>&2
+            continue
+        fi
+    elif [[ -f ${objdir}/${dir}/${base}.gcda ]]; then
+        if ! (cd "${objdir}/${f%/*}"; ((verbose > 2)) && set -vx; gcov "${f##*/}") 1>&3; then
+            $quiet || printf 'Warning: gcov failed for %s\n' "$f" 1>&2
+            continue
+        fi
+    fi
+
+    if [[ ! -f ${objdir}/${f}.gcov ]]; then
+        $quiet || printf 'Warning: gcov did not produce a .gcov file for %s\n' "$f" 1>&2
+        continue
+    fi
+
+    md5=$(md5sum "${srcdir}/${f}")
+    md5=${md5%% *}
+
+    jq -Rn --arg sum "${md5}" --arg f "$f" '
+        {
+            name: $f,
+            source_digest: $sum,
+            coverage: [
+                inputs
+              | split(":")
+              | (.[1] |= tonumber)
+              | select(.[1] > 0)
+              | if .[0]|endswith("#")
+                then 0
+                elif .[0]|endswith("-")
+                then null
+                else .[0]|tonumber
+                end
+            ]
+        }
+    ' "${objdir}/${f}.gcov" >> "${d}/f"
+done
+
+function make_report {
+    jq -s --arg job "$job" \
+          --arg ci "${ci:-travis-ci}" \
+          --arg token "$token" \
+          --arg repo "$repo" \
+          --arg branch "$branch" \
+          --arg upstream "$origin" \
+          --arg head "$(git log -n1 --format=%H)" \
+          --arg subject "$(git log -n1 --format=%s)" \
+          --arg aN "$(git log -n1 --format=%aN)" \
+          --arg ae "$(git log -n1 --format=%ae)" \
+          --arg cN "$(git log -n1 --format=%cN)" \
+          --arg ce "$(git log -n1 --format=%ce)" \
+        '{
+            service_job_id: $job,
+            service_name: $ci,
+            repo_token: $token,
+            git: {
+                id: $head,
+                author_name:  $aN,
+                author_email: $ae,
+                committer_name:  $cN,
+                committer_email: $ce,
+                message: $subject,
+                branch: $branch,
+                remotes: [ {
+                    "name": $upstream,
+                    "url": $repo
+                    }
+                ]
+            },
+            source_files: .
+        }' "${d}/f"
+}
+
+if [[ -z $out ]]; then
+    post=true
+    make_report > "${d}/out"
+elif [[ $out = - ]]; then
+    make_report
+else
+    make_report > "${out}"
+fi
+
+if $post && [[ $out != /dev/stdout ]]; then
+    curl -sfg -X POST -F "json_file=@${d}/out" -F "Filename=json_file" \
+         https://coveralls.io/api/v1/jobs
+fi
diff --git a/third_party/heimdal/tools/fixgcov-source-paths.sh b/third_party/heimdal/tools/fixgcov-source-paths.sh
new file mode 100755
index 00000000000..eaa9c9c62ad
--- /dev/null
+++ b/third_party/heimdal/tools/fixgcov-source-paths.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+find ${1:-.} -name '*.gcov' -print | while read f; do
+    case "$f" in
+    */.libs/*) continue;;
+    *) true;;
+    esac
+    echo FIX $f
+    f_basename=${f%%.gcno\#\#*}.c
+    f_basename=${f_basename##*/}
+    head -1 "$f" | grep 'Source:/' > /dev/null && continue
+    #bname=$(head -1 "$f" | grep 'Source:/' | cut -d: -f4)
+    dname=$(echo "$f"|cut -d'#' -f1|sed -e 's,/[^/]*$,/,')
+    ex "$f" <<EOF
+1,1 s,:Source:.*$,:Source:${dname}${f_basename},
+wq!
+EOF
+done
diff --git a/third_party/heimdal/tools/heimdal-gssapi.pc.in b/third_party/heimdal/tools/heimdal-gssapi.pc.in
new file mode 100644
index 00000000000..41adefe4d4b
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-gssapi.pc.in
@@ -0,0 +1,14 @@
+# $Id$
+prefix=@prefix@
+exec_prefix=${prefix}
+libdir=@libdir@
+includedir=@includedir@
+
+Name: @PACKAGE@
+Description: Heimdal is an implementation of Kerberos 5, freely available under a three clause BSD style license.
+Version: @VERSION@
+URL: http://www.pdc.kth.se/heimdal/
+Requires.private: heimdal-krb5
+Libs: -L${libdir} -lgssapi
+Libs.private: -lheimntlm @LIB_crypt@
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/heimdal-kadm-client.pc.in b/third_party/heimdal/tools/heimdal-kadm-client.pc.in
new file mode 100644
index 00000000000..2eb9e3e4ebf
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-kadm-client.pc.in
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: heimdal-kadm-client
+Description: Kadmin client library.
+Version: @VERSION@
+Requires.private: heimdal-gssapi
+Libs: -L${libdir} -lkadm5clnt
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/heimdal-kadm-server.pc.in b/third_party/heimdal/tools/heimdal-kadm-server.pc.in
new file mode 100644
index 00000000000..00a78cc3abb
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-kadm-server.pc.in
@@ -0,0 +1,12 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: heimdal-kadm-server
+Description: Kadmin server library.
+Version: @VERSION@
+Requires.private: heimdal-gssapi
+Libs: -L${libdir} -lkadm5srv
+Libs.private: @LIB_dbopen@
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/heimdal-krb5.pc.in b/third_party/heimdal/tools/heimdal-krb5.pc.in
new file mode 100644
index 00000000000..a1f139979cb
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-krb5.pc.in
@@ -0,0 +1,12 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: heimdal-krb5
+Description: Heimdal implementation of the Kerberos network authentication.
+Version: @VERSION@
+Libs: -L${libdir} -lkrb5
+Libs.private: @LIB_pkinit@ -lcom_err @LIB_hcrypto_appl@ -lasn1 -lwind -lheimbase -lroken @LIB_crypt@ @PTHREAD_LIBADD@ @LIB_dlopen@ @LIB_door_create@ @LIBS@
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/kadm-client.pc.in b/third_party/heimdal/tools/kadm-client.pc.in
new file mode 100644
index 00000000000..f8438856cfa
--- /dev/null
+++ b/third_party/heimdal/tools/kadm-client.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: kadm-client
+Description: Kadmin client library.
+Version: @VERSION@
+Requires: heimdal-kadm-client
diff --git a/third_party/heimdal/tools/kadm-server.pc.in b/third_party/heimdal/tools/kadm-server.pc.in
new file mode 100644
index 00000000000..9f1e62ec017
--- /dev/null
+++ b/third_party/heimdal/tools/kadm-server.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: kadm-server
+Description: Kadmin server library.
+Version: @VERSION@
+Requires: heimdal-kadm-server
diff --git a/third_party/heimdal/tools/kafs.pc.in b/third_party/heimdal/tools/kafs.pc.in
new file mode 100644
index 00000000000..bd31f263b54
--- /dev/null
+++ b/third_party/heimdal/tools/kafs.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: kafs
+Description: Libraries for application that uses kafs.
+Version: @VERSION@
+Requires.private: heimdal-krb5
+Libs: -lkafs
diff --git a/third_party/heimdal/tools/kdc-log-analyze.pl b/third_party/heimdal/tools/kdc-log-analyze.pl
new file mode 100644
index 00000000000..6692bf45757
--- /dev/null
+++ b/third_party/heimdal/tools/kdc-log-analyze.pl
@@ -0,0 +1,549 @@
+#! /usr/pkg/bin/perl
+# -*- mode: perl; perl-indent-level: 8 -*-
+# 
+# Copyright (c) 2003 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+# 
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+# 
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+# 
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+# 
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+# 
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+# kdc-log-analyze - Analyze a KDC log file and give a report on the contents
+#
+# Note: The parts you want likely want to customize are the variable $notlocal,
+# the array @local_network_re and the array @local_realms.
+#
+# Idea and implemetion for MIT Kerberos was done first by 
+# Ken Hornstein <kenh@cmf.nrl.navy.mil>, this program wouldn't exists
+# without his help.
+#
+
+use strict;
+use Sys::Hostname;
+
+my $notlocal = 'not SU';
+my @local_realms = ( "SU.SE" );
+my @local_networks_re = 
+    ( 
+      "130\.237",
+      "193\.11\.3[0-9]\.",
+      "130.242.128",
+      "2001:6b0:5:"
+      );
+
+my $as_req = 0;
+my %as_req_addr;
+my %as_req_addr_nonlocal;
+my %as_req_client;
+my %as_req_server;
+my %addr_uses_des;
+my %princ_uses_des;
+my $five24_req = 0;
+my %five24_req_addr;
+my %five24_req_addr_nonlocal;
+my %five24_req_server;
+my %five24_req_client;
+my $as_req_successful = 0;
+my $as_req_error = 0;
+my $no_such_princ = 0;
+my %no_such_princ_princ;
+my %no_such_princ_addr;
+my %no_such_princ_addr_nonlocal;
+my $as_req_etype_odd = 0;
+my %bw_addr;
+my $pa_alt_princ_request = 0;
+my $pa_alt_princ_verify = 0;
+my $tgs_req = 0;
+my %tgs_req_addr;
+my %tgs_req_addr_nonlocal;
+my %tgs_req_client;
+my %tgs_req_server;
+my $tgs_xrealm_out = 0;
+my %tgs_xrealm_out_realm;
+my %tgs_xrealm_out_princ;
+my $tgs_xrealm_in = 0;
+my %tgs_xrealm_in_realm;
+my %tgs_xrealm_in_princ;
+my %enctype_session;
+my %enctype_ticket;
+my $restarts = 0;
+my $forward_non_forward = 0;
+my $v4_req = 0;
+my %v4_req_addr;
+my %v4_req_addr_nonlocal;
+my $v4_cross = 0;
+my %v4_cross_realm;
+my $v5_cross = 0;
+my %v5_cross_realm;
+my $referrals = 0;
+my %referral_princ;
+my %referral_realm;
+my %strange_tcp_data;
+my $http_malformed = 0;
+my %http_malformed_addr;
+my $http_non_kdc = 0;
+my %http_non_kdc_addr;
+my $tcp_conn_timeout = 0;
+my %tcp_conn_timeout_addr;
+my $failed_processing = 0;
+my %failed_processing_addr;
+my $connection_closed = 0;
+my %connection_closed_addr;
+my $pa_failed = 0;
+my %pa_failed_princ;
+my %pa_failed_addr;
+my %ip;
+
+$ip{'4'} = $ip{'6'} = 0;
+
+while (<>) {
+	process_line($_);
+}
+
+print "Kerberos KDC Log Report for ", 
+    hostname, " on ", scalar localtime, "\n\n";
+
+print "General Statistics\n\n";
+
+print "\tNumber of IPv4 requests: $ip{'4'}\n";
+print "\tNumber of IPv6 requests: $ip{'6'}\n\n";
+
+print "\tNumber of restarts: $restarts\n";
+print "\tNumber of V4 requests: $v4_req\n";
+if ($v4_req > 0) {
+	print "\tTop ten IP addresses performing V4 requests:\n";
+	topten(\%v4_req_addr);
+}
+if (int(keys %v4_req_addr_nonlocal) > 0) {
+	print "\tTop ten $notlocal IP addresses performing V4 requests:\n";
+	topten(\%v4_req_addr_nonlocal);
+
+}
+print "\n";
+
+print "\tNumber of V4 cross realms (krb4 and 524) requests: $v4_cross\n";
+if ($v4_cross > 0) {
+	print "\tTop ten realms performing V4 cross requests:\n";
+	topten(\%v4_cross_realm);
+}
+print "\n";
+
+print "\tNumber of V45 cross realms requests: $v5_cross\n";
+if ($v5_cross > 0) {
+	print "\tTop ten realms performing V4 cross requests:\n";
+	topten(\%v5_cross_realm);
+}
+print "\n";
+
+print "\tNumber of failed lookups: $no_such_princ\n";
+if ($no_such_princ > 0) {
+	print "\tTop ten IP addresses failing to find principal:\n";
+	topten(\%no_such_princ_addr);
+	print "\tTop ten $notlocal IP addresses failing find principal:\n";
+	topten(\%no_such_princ_addr_nonlocal);
+	print "\tTop ten failed to find principals\n";
+	topten(\%no_such_princ_princ);
+}
+print "\n";
+
+print "\tBandwidth pigs:\n";
+topten(\%bw_addr);
+print "\n";
+
+print "\tStrange TCP data clients: ", int(keys %strange_tcp_data),"\n";
+topten(\%strange_tcp_data);
+print "\n";
+
+print "\tTimeout waiting on TCP requests: ", $tcp_conn_timeout,"\n";
+if ($tcp_conn_timeout > 0) {
+	print "\tTop ten TCP timeout request clients\n";
+	topten(\%tcp_conn_timeout_addr);
+}
+print "\n";
+
+print "\tFailed processing requests: ", $failed_processing,"\n";
+if ($failed_processing > 0) {
+	print "\tTop ten failed processing request clients\n";
+	topten(\%failed_processing_addr);
+}
+print "\n";
+
+print "\tConnection closed requests: ", $connection_closed,"\n";
+if ($connection_closed > 0) {
+	print "\tTop ten connection closed request clients\n";
+	topten(\%connection_closed_addr);
+}
+print "\n";
+
+print "\tMalformed HTTP requests: ", $http_malformed,"\n";
+if ($http_malformed > 0) {
+	print "\tTop ten malformed HTTP request clients\n";
+	topten(\%http_malformed_addr);
+}
+print "\n";
+
+print "\tHTTP non kdc requests: ", $http_non_kdc,"\n";
+if ($http_non_kdc > 0) {
+	print "\tTop ten HTTP non KDC request clients\n";
+	topten(\%http_non_kdc_addr);
+}
+print "\n";
+
+print "Report on AS_REQ requests\n\n";
+print "Overall AS_REQ statistics\n\n";
+
+print "\tTotal number: $as_req\n";
+
+print "\nAS_REQ client/server statistics\n\n";
+
+print "\tDistinct IP Addresses performing requests: ", 
+    int(keys %as_req_addr),"\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%as_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+					int(keys %as_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%as_req_addr_nonlocal);
+
+print "\n\tPreauth failed for for: ", $pa_failed, " requests\n";
+if ($pa_failed) {
+	print "\tPreauth failed top ten IP addresses:\n";
+	topten(\%pa_failed_addr);
+	print "\tPreauth failed top ten principals:\n";
+	topten(\%pa_failed_princ);
+}
+
+print "\n\tDistinct clients performing requests: ", 
+    int(keys %as_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%as_req_client);
+
+print "\tDistinct services requested: ", int(keys %as_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%as_req_server);
+
+print "\n\n\nReport on TGS_REQ requests:\n\n";
+print "Overall TGS_REQ statistics\n\n";
+print "\tTotal number: $tgs_req\n";
+
+print "\nTGS_REQ client/server statistics\n\n";
+print "\tDistinct IP addresses performing requests: ",
+				int(keys %tgs_req_addr), "\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%tgs_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+				int(keys %tgs_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%tgs_req_addr_nonlocal);
+
+print "\tDistinct clients performing requests: ",
+				int(keys %tgs_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%tgs_req_client);
+
+print "\tDistinct services requested: ", int(keys %tgs_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%tgs_req_server);
+
+print "\n\n\nReport on 524_REQ requests:\n\n";
+
+print "\t524_REQ client/server statistics\n\n";
+
+print "\tDistinct IP Addresses performing requests: ", 
+    int(keys %five24_req_addr),"\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%five24_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+					int(keys %five24_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%five24_req_addr_nonlocal);
+
+print "\tDistinct clients performing requests: ", int(keys %five24_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%five24_req_client);
+
+print "\tDistinct services requested: ", int(keys %five24_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%five24_req_server);
+print "\n";
+
+print "Cross realm statistics\n\n";
+
+print "\tNumber of cross-realm tgs out: $tgs_xrealm_out\n";
+if ($tgs_xrealm_out > 0) {
+	print "\tTop ten realms used for out cross-realm:\n";
+	topten(\%tgs_xrealm_out_realm);
+	print "\tTop ten principals use out cross-realm:\n";
+	topten(\%tgs_xrealm_out_princ);
+}
+print "\tNumber of cross-realm tgs in: $tgs_xrealm_in\n";
+if ($tgs_xrealm_in > 0) {
+	print "\tTop ten realms used for in cross-realm:\n";
+	topten(\%tgs_xrealm_in_realm);
+	print "\tTop ten principals use in cross-realm:\n";
+	topten(\%tgs_xrealm_in_princ);
+}
+
+print "\n\nReport on referral:\n\n";
+
+print "\tNumber of referrals: $referrals\n";
+if ($referrals > 0) {
+	print "\tTop ten referral-ed principals:\n";
+	topten(\%referral_princ);
+	print "\tTop ten to realm referrals:\n";
+	topten(\%referral_realm);
+}
+
+print "\n\nEnctype Statistics:\n\n";
+print "\tTop ten session enctypes:\n";
+topten(\%enctype_session);
+print "\tTop ten ticket enctypes:\n";
+topten(\%enctype_ticket);
+
+print "\tDistinct IP addresses using DES: ", int(keys %addr_uses_des), "\n";
+print "\tTop IP addresses using DES:\n";
+topten(\%addr_uses_des);
+print "\tDistinct principals using DES: ", int(keys %princ_uses_des), "\n";
+print "\tTop ten principals using DES:\n";
+topten(\%princ_uses_des);
+
+print "\n";
+
+printf("Requests to forward non-forwardable ticket: $forward_non_forward\n");
+
+
+exit 0;
+
+my $last_addr = "";
+my $last_principal = "";
+
+sub process_line {
+	local($_) = @_;
+	#
+	# Eat these lines that are output as a result of startup (but
+	# log the number of restarts)
+	#
+	if (/AS-REQ \(krb4\) (.*) from IPv([46]):([0-9\.:a-fA-F]+) for krbtgt.*$/){
+		$v4_req++;
+		$v4_req_addr{$3}++;
+		$v4_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+	} elsif (/AS-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) {
+		$as_req++;
+		$as_req_client{$1}++;
+		$as_req_server{$4}++;
+		$as_req_addr{$3}++;
+		$as_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+	} elsif (/TGS-REQ \(krb4\)/) {
+		#Nothing
+	} elsif (/TGS-REQ (.+) from IPv([46]):([0-9\.:a-fA-F]+) for (.*?)( \[.*\]){0,1}$/) {
+		$tgs_req++;
+		$tgs_req_client{$1}++;
+		$tgs_req_server{$4}++;
+		$tgs_req_addr{$3}++;
+		$tgs_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+
+		my $source = $1;
+		my $dest = $4;
+		
+		if (!islocalrealm($source)) {
+			$tgs_xrealm_in++;
+			$tgs_xrealm_in_princ{$source}++;
+			if ($source =~ /[^@]+@([^@]+)/ ) {
+				$tgs_xrealm_in_realm{$1}++;
+			}
+		}
+		if ($dest =~ /krbtgt\/([^@]+)@[^@]+/) {
+			if (!islocalrealm($1)) {
+				$tgs_xrealm_out++;
+				$tgs_xrealm_out_realm{$1}++;
+				$tgs_xrealm_out_princ{$source}++;
+			}
+		}
+	} elsif (/524-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) {
+		$five24_req++;
+		$five24_req_client{$1}++;
+		$five24_req_server{$4}++;
+		$five24_req_addr{$3}++;
+		$five24_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+		$last_addr = $3;
+		$last_principal = $1;
+		$ip{$2}++;
+	} elsif (/TCP data of strange type from IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$strange_tcp_data{$1}++;
+	} elsif (/Lookup (.*) failed: No such entry in the database/) {
+		$no_such_princ++;
+		$no_such_princ_addr{$last_addr}++;
+		$no_such_princ_addr_nonlocal{$last_addr}++ if (!islocaladdr($last_addr));
+		$no_such_princ_princ{$1}++;
+	} elsif (/Lookup .* succeeded$/) {
+		# Nothing
+	} elsif (/Malformed HTTP request from IPv[46]:([0-9\.:a-fA-F]+)$/) {
+		$http_malformed++;
+		$http_malformed_addr{$1}++;
+	} elsif (/TCP-connection from IPv[46]:([0-9\.:a-fA-F]+) expired after [0-9]+ bytes/) {
+		$tcp_conn_timeout++;
+		$tcp_conn_timeout_addr{$1}++;
+	} elsif (/Failed processing [0-9]+ byte request from IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$failed_processing++;
+		$failed_processing_addr{$1}++;
+	} elsif (/connection closed before end of data after [0-9]+ bytes from IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$connection_closed++;
+		$connection_closed_addr{$1}++;
+	} elsif (/HTTP request from IPv[46]:([0-9\.:a-fA-F]+) is non KDC request/) {
+		$http_non_kdc++;
+		$http_non_kdc_addr{$1}++;
+	} elsif (/returning a referral to realm (.*) for server (.*) that was not found/) {
+		$referrals++;
+		$referral_princ{$2}++;
+		$referral_realm{$1}++;
+	} elsif (/krb4 Cross-realm (.*) -> (.*) disabled/) {
+		$v4_cross++;
+		$v4_cross_realm{$1."->".$2}++;
+	} elsif (/524 cross-realm (.*) -> (.*) disabled/) {
+		$v4_cross++;
+		$v4_cross_realm{$1."->".$2}++;
+	} elsif (/cross-realm (.*) -> (.*): no transit through realm (.*)/) {
+	} elsif (/cross-realm (.*) -> (.*) via \[([^\]]+)\]/) {
+		$v5_cross++;
+		$v5_cross_realm{$1."->".$2}++;
+	} elsif (/cross-realm (.*) -> (.*)/) {
+		$v5_cross++;
+		$v5_cross_realm{$1."->".$2}++;
+	} elsif (/sending ([0-9]+) bytes to IPv[46]:([0-9\.:a-fA-F]+)/) {
+		$bw_addr{$2} += $1;
+	} elsif (/Using ([-a-z0-9]+)\/([-a-z0-9]+)/) {
+		$enctype_ticket{$1}++;
+		$enctype_session{$2}++;
+
+		my $ticket = $1;
+		my $session = $2;
+
+		if ($ticket =~ /des-cbc-(crc|md4|md5)/) {
+			$addr_uses_des{$last_addr}++;
+			$princ_uses_des{$last_principal}++;
+		}
+
+	} elsif (/Failed to decrypt PA-DATA -- (.+)$/) {
+		$pa_failed++;
+		$pa_failed_princ{$last_principal}++;
+		$pa_failed_addr{$last_addr}++;
+
+	} elsif (/Request to forward non-forwardable ticket/) {
+		$forward_non_forward++;
+	} elsif (/HTTP request:/) {
+	} elsif (/krb_rd_req: Incorrect network address/) {
+	} elsif (/krb_rd_req: Ticket expired \(krb_rd_req\)/) {
+	} elsif (/Ticket expired \(.*\)/) {
+	} elsif (/krb_rd_req: Can't decode authenticator \(krb_rd_req\)/) {
+	} elsif (/Request from wrong address/) {
+		# XXX
+	} elsif (/UNKNOWN --/) {
+		# XXX
+	} elsif (/Too large time skew -- (.*)$/) {
+		# XXX
+	} elsif (/No PA-ENC-TIMESTAMP --/) {
+		# XXX
+	} elsif (/Looking for pa-data --/) {
+		# XXX
+	} elsif (/Pre-authentication succeded -- (.+)$/) {
+		# XXX
+	} elsif (/Bad request for ([,a-zA-Z0-9]+) ticket/) {
+		# XXX
+	} elsif (/Failed to verify AP-REQ: Ticket expired/) {
+		# XXX 
+	} elsif (/Client not found in database:/) {
+		# XXX
+	} elsif (/Server not found in database \(krb4\)/) {
+	} elsif (/Server not found in database:/) {
+		# XXX
+	} elsif (/newsyslog.*logfile turned over/) {
+		# Nothing
+	} elsif (/Requested flags:/) {
+		# Nothing
+	} elsif (/shutting down/) {
+		# Nothing
+	} elsif (/listening on IP/) {
+		# Nothing
+	} elsif (/commencing operation/) {
+		$restarts++;
+	}
+	#
+	# Log it if we didn't parse the line
+	#
+	else {
+		print "Unknown log file line: $_";
+	}
+}
+
+sub topten {
+	my ($list) = @_;
+	my @keys;
+
+	my $key;
+
+	@keys = (sort {$$list{$b} <=> $$list{$a}} (keys %{$list}));
+	splice @keys, 10;
+
+	foreach $key (@keys) {
+		print "\t\t$key - $$list{$key}\n";
+	}
+}
+
+sub islocaladdr (\$) {
+	my ($addr) = @_;
+	my $net;
+
+	foreach $net (@local_networks_re) {
+		return 1 if ($addr =~ /$net/);
+	}
+	return 0;
+}
+
+sub islocalrealm (\$) {
+	my ($princ) = @_;
+	my $realm;
+
+	foreach $realm (@local_realms) {
+		return 1 if ($princ eq $realm);
+		return 1 if ($princ =~ /[^@]+\@${realm}/);
+	}
+	return 0;
+}
diff --git a/third_party/heimdal/tools/krb5-config.1 b/third_party/heimdal/tools/krb5-config.1
new file mode 100644
index 00000000000..ced45de3be2
--- /dev/null
+++ b/third_party/heimdal/tools/krb5-config.1
@@ -0,0 +1,90 @@
+.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 30, 2000
+.Dt KRB5-CONFIG 1
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5-config
+.Nd "give information on how to link code against Heimdal libraries"
+.Sh SYNOPSIS
+.Nm
+.Op Fl Fl prefix Ns Op = Ns Ar dir
+.Op Fl Fl exec-prefix Ns Op = Ns Ar dir
+.Op Fl Fl libs
+.Op Fl Fl cflags
+.Op Ar libraries
+.Sh DESCRIPTION
+.Nm
+tells the application programmer what special flags to use to compile
+and link programs against the libraries installed by Heimdal.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl Fl prefix Ns Op = Ns Ar dir
+Print the prefix if no
+.Ar dir
+is specified, otherwise set prefix to
+.Ar dir .
+.It Fl Fl exec-prefix Ns Op = Ns Ar dir
+Print the exec-prefix if no
+.Ar dir
+is specified, otherwise set exec-prefix to
+.Ar dir .
+.It Fl Fl libs
+Output the set of libraries that should be linked against.  This also
+includes rpath flags with the expectation that the C compiler is used
+for final link-edits.
+.It Fl Fl cflags
+Output the set of flags to give to the C compiler when using the
+Heimdal libraries.
+.El
+.Pp
+By default
+.Nm
+will output the set of flags and libraries to be used by a normal
+program using the krb5 API.  The user can also supply a library to be
+used, the supported ones are:
+.Bl -tag -width Ds
+.It krb5
+(the default)
+.It gssapi
+use the krb5 gssapi mechanism
+.It kadm-client
+use the client-side kadmin libraries
+.It kadm-server
+use the server-side kadmin libraries
+.El
+.Sh SEE ALSO
+.Xr cc 1
+.Sh HISTORY
+.Nm
+appeared in Heimdal 0.3d.
diff --git a/third_party/heimdal/tools/krb5-config.in b/third_party/heimdal/tools/krb5-config.in
new file mode 100644
index 00000000000..64085303393
--- /dev/null
+++ b/third_party/heimdal/tools/krb5-config.in
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+cat <<'EOM'
+#!/bin/sh
+#
+# Copyright (c) 2000 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+
+do_all=no
+do_libs=no
+do_lib_deps=no
+do_cflags=no
+do_usage=no
+print_prefix=no
+print_exec_prefix=no
+library=
+lib_krb5=no
+lib_gssapi=no
+lib_kadm_client=no
+lib_kadm_server=no
+lib_kafs=no
+
+if test $# -eq 0; then
+  do_usage=yes
+  usage_exit=1
+fi
+
+for i in $*; do
+  case $i in
+  --help)
+    do_usage=yes
+    usage_exit=0
+    ;;
+  --all)
+    do_all=yes
+    ;;
+  --vendor)
+    echo "Heimdal"
+    exit 0;
+    ;;
+  --version)
+    echo "@PACKAGE@ @VERSION@"
+    exit 0
+    ;;
+  --prefix=*)
+    prefix=`echo $i | sed 's/^--prefix=//'`
+    ;;
+  --prefix)
+    print_prefix=yes
+    ;;
+  --exec-prefix=*)
+    exec_prefix=`echo $i | sed 's/^--exec-prefix=//'`
+    ;;
+  --exec-prefix)
+    print_exec_prefix=yes
+    ;;
+  --libs)
+    do_libs=yes
+    ;;
+  --deps)
+    do_lib_deps=yes
+    ;;
+  --cflags)
+    do_cflags=yes
+    ;;
+  krb5)
+    library=krb5
+    lib_krb5=yes
+    ;;
+  gssapi)
+    library=gssapi
+    lib_gssapi=yes
+    ;;
+  kadm-client)
+    library=kadm-client
+    lib_kadm_client=yes
+    ;;
+  kadm-server)
+    library=kadm-server
+    lib_kadm_server=yes
+    ;;
+  kafs)
+    library=kafs
+    lib_kafs=yes
+    ;;
+  *)
+    echo "unknown option: $i"
+    exit 1
+    ;;
+  esac
+done
+
+if test "$do_usage" = "yes"; then
+    echo "usage: $0 [options] [libraries]"
+    echo "options:   [--help]         show this message"
+    echo "           [--all]          display version, vendor, etc."
+    echo "           [--version]      display version information"
+    echo "           [--prefix]       display the prefix of Kerberos"
+    echo "           [--exec-prefix]  display the exec_prefix of Kerberos"
+    echo "           [--cflags]       display the CFLAGS required"
+    echo "           [--libs]         display the libraries required to link"
+    echo "           [--deps]         display the dependent libs required"
+    echo "                            for static linking"
+    echo
+    echo "libraries: krb5             Kerberos 5 applications"
+    echo "           gssapi           GSSAPI applications"
+    echo "           kadm-client      libkadm5 client"
+    echo "           kadm-server      libkadm5 server"
+    echo "           kafs             kafs"
+    exit $usage_exit
+fi
+
+if test X"$library" = X; then
+    lib_krb5=yes
+fi
+
+if test "$prefix" = ""; then
+  prefix=@prefix@
+fi
+if test "$exec_prefix" = ""; then
+  exec_prefix=@exec_prefix@
+fi
+
+libdir=@libdir@
+includedir=@includedir@
+
+if test "$do_all" = "yes"; then
+    echo "Version:     @PACKAGE@ @VERSION@"
+    echo "Vendor:      Heimdal"
+    echo "Prefix:      $prefix"
+    echo "Exec_prefix: $exec_prefix"
+    exit 0
+fi
+
+if test "$print_prefix" = "yes"; then
+    echo $prefix
+    exit 0
+fi
+
+if test "$print_exec_prefix" = "yes"; then
+    echo $exec_prefix
+    exit 0
+fi
+
+# The following rpath_flag setting code is distilled from MIT Kerberos'
+# src/config/shlib.conf.  Some of this seems ancient and likely to be
+# wrong in some cases, but right for all the cases we probably care
+# about.  Also, this will very likely be wrong depending on how the
+# caller will be doing link-edits (with what compiler-driver or
+# link-editor)!  There's no fixing this.
+#
+# In principle this doesn't belong here: application should instead use
+# krb5-config --libdir to get the directory to use for the rpath, then
+# workout the rpath flags on their own.  Of course, there's no --libdir
+# option...  And MIT's krb5-config does include rpath flags.
+#
+# Compatibility with MIT is the winning consideration for now.
+EOM
+
+case "@CANONICAL_HOST@" in
+alpha*-dec-osf*)
+  rpath_flag='-Wl,-rpath -Wl,';;
+*-*-hpux*)
+  rpath_flag='-Wl,+b,';;
+*-*-irix* | mips-*-netbsd*)
+  rpath_flag='-Wl,-rpath -Wl,';;
+*-*-netbsd* | *-*-openbsd* | *-*-solaris*)
+  rpath_flag='-R';;
+*-*-linux* | *-*-gnu* | *-*-k*bsd*-gnu | *-*-freebsd*)
+  rpath_flag='-Wl,--enable-new-dtags -Wl,-rpath -Wl,';;
+*-*-aix*)
+  rpath_flag='-Wl,-blibpath:';;
+*)
+rpath_flag=;;
+esac
+
+echo "rpath_flag='$rpath_flag'"
+
+cat <<'EOM'
+
+if test "$do_libs" = "yes"; then
+    deplibs=""
+    if test "$lib_gssapi" = yes; then
+	lib_flags="$lib_flags -lgssapi"
+	deplibs="$deplibs -lheimntlm"
+	if test X"$do_lib_deps" = Xyes; then
+	    lib_krb5=yes
+	fi
+    fi
+    if test "$lib_kadm_client" = yes; then
+	lib_flags="$lib_flags -lkadm5clnt"
+	if test X"$do_lib_deps" = Xyes; then
+	    lib_krb5=yes
+	fi
+    fi
+    if test "$lib_kadm_server" = yes; then
+	lib_flags="$lib_flags -lkadm5srv"
+	deplibs="$deplibs @LIB_dbopen@"
+	if test X"$do_lib_deps" = Xyes; then
+	    lib_krb5=yes
+	fi
+    fi
+    if test "$lib_kafs" = yes; then
+	lib_flags="$lib_flags -lkafs"
+	if test X"$do_lib_deps" = Xyes; then
+	    lib_krb5=yes
+	fi
+    fi
+    if test "$lib_krb5" = yes; then
+	lib_flags="$lib_flags -lkrb5"
+    fi
+    deplibs="$deplibs @LIB_pkinit@ -lcom_err"
+    deplibs="$deplibs @LIB_hcrypto_appl@ -lasn1 -lwind -lheimbase -lroken"
+    deplibs="$deplibs @LIB_crypt@ @PTHREAD_LIBADD@ @LIB_dlopen@"
+    deplibs="$deplibs @LIB_door_create@ @LIBS@"
+    if test X"$do_lib_deps" = X"yes"; then
+	lib_flags="$lib_flags $deplibs"
+    fi
+    if test X"$libdir" != X/usr/lib; then
+	lib_flags="-L${libdir} $lib_flags"
+	if test X"$rpath_flag" != X; then
+	    lib_flags="${rpath_flag}${libdir} $lib_flags"
+	fi
+    fi
+
+    echo ${lib_flags}
+fi
+if test "$do_cflags" = "yes"; then
+    cflags=""
+    if test X"${includedir}" != X/usr/include; then
+	cflags="-I${includedir} $cflags"
+    fi
+    echo $cflags
+fi
+
+exit 0
+EOM
diff --git a/third_party/heimdal/tools/krb5-gssapi.pc.in b/third_party/heimdal/tools/krb5-gssapi.pc.in
new file mode 100644
index 00000000000..482b78f03d6
--- /dev/null
+++ b/third_party/heimdal/tools/krb5-gssapi.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: krb5-gssapi
+Description: Kerberos implementation of the GSS API.
+Version: @VERSION@
+Requires: heimdal-gssapi
diff --git a/third_party/heimdal/tools/krb5.pc.in b/third_party/heimdal/tools/krb5.pc.in
new file mode 100644
index 00000000000..5ed2007c58b
--- /dev/null
+++ b/third_party/heimdal/tools/krb5.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: krb5
+Description: Heimdal implementation of the kerberos network authentication.
+Version: @VERSION@
+Requires: heimdal-krb5