auth and s4-rpc_server: Do not use features we currently can't implem…

…ent with MIT Kerbros build

auth/credentials/credentials_krb5.c

@@ -533,6 +533,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		return ret;
 	}
 
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks krb5_get_default_in_tkt_etypes */
 	/*
 	 * transfer the enctypes from the smb_krb5_context to the gssapi layer
 	 *
@@ -567,6 +568,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 			return ret;
 		}
 	}
+#endif
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
 
 	/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
 	maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
@@ -582,7 +585,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		(*error_string) = talloc_asprintf(cred, "gss_set_cred_option failed: %s", error_message(ret));
 		return ret;
 	}
-
+#endif
 	cred->client_gss_creds_obtained = cred->ccache_obtained;
 	talloc_set_destructor(gcc, free_gssapi_creds);
 	cred->client_gss_creds = gcc;

source4/rpc_server/lsa/dcesrv_lsa.c

@@ -3709,10 +3709,16 @@ static void kdc_get_policy(struct loadparm_context *lp_ctx,
 	unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
 	unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime);
 	unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime);
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks krb5_get_max_time_skew.
+	However in the parent function we basically just did a full
+	krb5_context init with the only purpose of getting a global
+	config option (the max skew), it would probably make more sense
+	to have a lp_ or ldb global option as the samba default */
 	if (smb_krb5_context) {
 		unix_to_nt_time(&k->clock_skew, 
 				krb5_get_max_time_skew(smb_krb5_context->krb5_context));
 	}
+#endif
 	k->reserved = 0;
 }
 /*