From 7889d4b840920526b4598422771617d389ea5ab7 Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Fri, 13 Dec 2013 14:28:58 +0000
Subject: [PATCH] Disable threading for MIT libkrb5 <= 1.11.4 i.e. all
 currently released versions

---
 src/modules/rlm_krb5/configure    | 194 +++++++++++++++++++++---------
 src/modules/rlm_krb5/configure.ac | 182 ++++++++++++++++------------
 src/modules/rlm_krb5/rlm_krb5.c   |  42 -------
 3 files changed, 241 insertions(+), 177 deletions(-)

diff --git a/src/modules/rlm_krb5/configure b/src/modules/rlm_krb5/configure
index 5c267efe99..1ae9380a1d 100755
--- a/src/modules/rlm_krb5/configure
+++ b/src/modules/rlm_krb5/configure
@@ -588,6 +588,7 @@ LIBOBJS
 targetname
 mod_cflags
 mod_ldflags
+krb5config
 CPP
 OBJEXT
 EXEEXT
@@ -637,8 +638,7 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
-with_rlm_krb5_lib_dir
-with_rlm_krb5_include_dir
+with_rlm_krb5_dir
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1255,8 +1255,7 @@ if test -n "$ac_init_help"; then
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --with-rlm-krb5-lib-dir=DIR       Directory for krb5 library files
-  --with-rlm-krb5-include-dir=DIR   Directory for krb5 include files
+  --with-rlm-krb5-dir=DIR       Directory for krb5 files
 
 Some influential environment variables:
   CC          C compiler command
@@ -2794,43 +2793,113 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-		rlm_krb5_lib_dir=
+		rlm_krb5_dir=
 
-# Check whether --with-rlm-krb5-lib-dir was given.
-if test "${with_rlm_krb5_lib_dir+set}" = set; then :
-  withval=$with_rlm_krb5_lib_dir;  case "$withval" in
+# Check whether --with-rlm-krb5-dir was given.
+if test "${with_rlm_krb5_dir+set}" = set; then :
+  withval=$with_rlm_krb5_dir;  case "$withval" in
 	    no)
-		as_fn_error $? "Need rlm-krb5-lib-dir" "$LINENO" 5
+		as_fn_error $? "Need rlm-krb5-dir" "$LINENO" 5
 		;;
 	    yes)
 		;;
 	    *)
-		rlm_krb5_lib_dir="$withval"
+		rlm_krb5_dir="$withval"
 		;;
 	  esac
 
 fi
 
 
-		rlm_krb5_inc_dir=
-
-# Check whether --with-rlm-krb5-include-dir was given.
-if test "${with_rlm_krb5_include_dir+set}" = set; then :
-  withval=$with_rlm_krb5_include_dir;  case "$withval" in
-	    no)
-		as_fn_error $? "Need rlm-krb5-include-dir" "$LINENO" 5
-		;;
-	    yes)
-		;;
-	    *)
-		rlm_krb5_include_dir="$withval"
-		;;
-	  esac
+	# Extract the first word of "krb5-config", so it can be a program name with args.
+set dummy krb5-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_krb5config+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $krb5config in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_krb5config="$krb5config" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="${rlm_krb5_dir}/bin:${PATH}:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_krb5config="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
 
+  test -z "$ac_cv_path_krb5config" && ac_cv_path_krb5config="not-found"
+  ;;
+esac
+fi
+krb5config=$ac_cv_path_krb5config
+if test -n "$krb5config"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5config" >&5
+$as_echo "$krb5config" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
-	smart_try_dir=$rlm_krb5_include_dir
+					if test "krb5config" != "not-found"; then
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config CFLAGS" >&5
+$as_echo_n "checking krb5-config CFLAGS... " >&6; }
+		SMART_CFLAGS=$($krb5config --cflags)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${SMART_CFLAGS}" >&5
+$as_echo "${SMART_CFLAGS}" >&6; }
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config LDFLAGS" >&5
+$as_echo_n "checking krb5-config LDFLAGS... " >&6; }
+		SMART_LIBS=$($krb5config --libs)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${SMART_LIBS}" >&5
+$as_echo "${SMART_LIBS}" >&6; }
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config reported version" >&5
+$as_echo_n "checking krb5-config reported version... " >&6; }
+		krb5_version_raw=$($krb5config --version)
+
+				krb5_version=$(echo "$krb5_version_raw" | head -n 1 | \
+			awk '{split($(4),v,"."); if (v["3"] == "") v["3"] = "0"; print v["1"]v["2"]v["3"] }')
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${krb5_version_raw} ($krb5_version)" >&5
+$as_echo "${krb5_version_raw} ($krb5_version)" >&6; }
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config reported vendor" >&5
+$as_echo_n "checking krb5-config reported vendor... " >&6; }
+		krb5_vendor=$($krb5config --vendor)
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${krb5_vendor}" >&5
+$as_echo "${krb5_vendor}" >&6; }
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking canonical API type" >&5
+$as_echo_n "checking canonical API type... " >&6; }
+		if test "$krb5_vendor" = "Massachusetts Institute of Technology" || \
+			echo "$krb5_vendor" | grep -i 'MIT' > /dev/null 2>&1 ; then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: MIT" >&5
+$as_echo "MIT" >&6; }
+
+			if test "$krb5_version" -le 1114 > /dev/null 2>&1; then
+				krb5threadsafe=no
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: marking libkrb5 as non-threadsafe due to defects in MIT libkrb5 <= 1.11.4" >&5
+$as_echo "$as_me: marking libkrb5 as non-threadsafe due to defects in MIT libkrb5 <= 1.11.4" >&6;}
+			fi
+		else
+			krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5"
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: HEIMDAL" >&5
+$as_echo "HEIMDAL" >&6; }
+		fi
+	else
+		smart_try_dir="$rlm_krb5_dir/include"
 
 
 
@@ -2976,9 +3045,9 @@ if test "x$smart_include" != "x"; then
   SMART_CFLAGS="$SMART_CFLAGS $smart_include"
 fi
 
-	if test "$ac_cv_header_krb5_h" != "yes"; then
-        fail="$fail krb5.h"
-	fi
+		if test "$ac_cv_header_krb5_h" != "yes"; then
+		fail="$fail krb5.h"
+		fi
 
 
 
@@ -3125,7 +3194,7 @@ if test "x$smart_include" != "x"; then
   SMART_CFLAGS="$SMART_CFLAGS $smart_include"
 fi
 
-	if test "$ac_cv_header_com_err_h" != "yes"; then
+		if test "$ac_cv_header_com_err_h" != "yes"; then
 
 
 ac_safe=`echo "et/com_err.h" | sed 'y%./+-%__pm%'`
@@ -3270,15 +3339,15 @@ if test "x$smart_include" != "x"; then
   SMART_CFLAGS="$SMART_CFLAGS $smart_include"
 fi
 
-        if test "$ac_cv_header_et_com_err_h" != "yes"; then
-            fail="$fail com_err.h"
-	    else
-	        krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR "
-	    fi
-	fi
+		if test "$ac_cv_header_et_com_err_h" != "yes"; then
+		    fail="$fail com_err.h"
+		    else
+			krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR "
+		    fi
+		fi
 
-	krb5libcrypto=
-	smart_try_dir=$rlm_krb5_lib_dir
+		krb5libcrypto=
+		smart_try_dir="$rlm_krb5_dir/lib"
 
 
 sm_lib_safe=`echo "k5crypto" | sed 'y%./+-%__p_%'`
@@ -3445,11 +3514,11 @@ if test "x$smart_lib" != "x"; then
   SMART_LIBS="$smart_lib $SMART_LIBS"
 fi
 
-	if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then
-		krb5libcrypto="-lk5crypto"
-	fi
+		if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then
+			krb5libcrypto="-lk5crypto"
+		fi
 
-	if test "x$krb5libcrypto" = x; then
+		if test "x$krb5libcrypto" = x; then
 
 
 sm_lib_safe=`echo "crypto" | sed 'y%./+-%__p_%'`
@@ -3616,15 +3685,15 @@ if test "x$smart_lib" != "x"; then
   SMART_LIBS="$smart_lib $SMART_LIBS"
 fi
 
-		if test "x$ac_cv_lib_crypto_DH_new" = xyes; then
-			krb5libcrypto="-lcrypto"
+			if test "x$ac_cv_lib_crypto_DH_new" = xyes; then
+				krb5libcrypto="-lcrypto"
+			fi
 		fi
-	fi
 
-	if test "x$krb5libcrypto" = x; then
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found!" >&5
+		if test "x$krb5libcrypto" = x; then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found!" >&5
 $as_echo "$as_me: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found!" >&2;}
-	fi
+		fi
 
 
 
@@ -3792,10 +3861,10 @@ if test "x$smart_lib" != "x"; then
   SMART_LIBS="$smart_lib $SMART_LIBS"
 fi
 
-	if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the comm_err library isn't found!" >&5
+		if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the comm_err library isn't found!" >&5
 $as_echo "$as_me: WARNING: the comm_err library isn't found!" >&2;}
-	fi
+		fi
 
 
 
@@ -3963,9 +4032,9 @@ if test "x$smart_lib" != "x"; then
   SMART_LIBS="$smart_lib $SMART_LIBS"
 fi
 
-	if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then
-        krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5"
-	else
+		if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then
+		krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5"
+		else
 
 
 sm_lib_safe=`echo "krb5" | sed 'y%./+-%__p_%'`
@@ -4132,12 +4201,15 @@ if test "x$smart_lib" != "x"; then
   SMART_LIBS="$smart_lib $SMART_LIBS"
 fi
 
-	    if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then
-		    fail="$fail krb5"
-	    fi
+		    if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then
+			    fail="$fail krb5"
+		    fi
+		fi
+
 	fi
 
-	krb5threadsafe=
+				if test "$krb5threadsafe" == ""; then
+		krb5threadsafe=
 
 
 sm_lib_safe=`echo "krb5" | sed 'y%./+-%__p_%'`
@@ -4304,8 +4376,9 @@ if test "x$smart_lib" != "x"; then
   SMART_LIBS="$smart_lib $SMART_LIBS"
 fi
 
-	if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then
-        if test "$cross_compiling" = yes; then :
+
+		if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then
+		if test "$cross_compiling" = yes; then :
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 as_fn_error $? "cannot run test program while cross compiling
@@ -4332,6 +4405,7 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
   conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
+		fi
 	fi
 
 	targetname=rlm_krb5
@@ -4352,7 +4426,7 @@ $as_echo "$as_me: WARNING: FAILURE: rlm_krb5 requires: $fail." >&2;};
 	fi
 fi
 
-mod_ldflags="${krb5libcrypto} ${SMART_LIBS}"
+mod_ldflags="${krb5mod_ldflags} ${krb5libcrypto} ${SMART_LIBS}"
 mod_cflags="${krb5mod_cflags} ${krb5threadsafe} ${SMART_CFLAGS}"
 
 
diff --git a/src/modules/rlm_krb5/configure.ac b/src/modules/rlm_krb5/configure.ac
index 1584690ecd..b80d6829bf 100644
--- a/src/modules/rlm_krb5/configure.ac
+++ b/src/modules/rlm_krb5/configure.ac
@@ -8,97 +8,129 @@ if test x$with_[]modname != xno; then
 	AC_PROG_CC
 	AC_PROG_CPP
 
-	dnl extra argument: --with-rlm-krb5-lib-dir
-	rlm_krb5_lib_dir=
-	AC_ARG_WITH(rlm-krb5-lib-dir,
-	[  --with-rlm-krb5-lib-dir=DIR       Directory for krb5 library files []],
+	dnl extra argument: --with-rlm-krb5-dir
+	rlm_krb5_dir=
+	AC_ARG_WITH(rlm-krb5-dir,
+	[  --with-rlm-krb5-dir=DIR       Directory for krb5 files []],
 	[ case "$withval" in
 	    no)
-		AC_MSG_ERROR(Need rlm-krb5-lib-dir)
+		AC_MSG_ERROR(Need rlm-krb5-dir)
 		;;
 	    yes)
 		;;
 	    *)
-		rlm_krb5_lib_dir="$withval"
+		rlm_krb5_dir="$withval"
 		;;
 	  esac ]
 	)
 
-	dnl extra argument: --with-rlm-krb5-include-dir
-	rlm_krb5_inc_dir=
-	AC_ARG_WITH(rlm-krb5-include-dir,
-	[  --with-rlm-krb5-include-dir=DIR   Directory for krb5 include files []],
-	[ case "$withval" in
-	    no)
-		AC_MSG_ERROR(Need rlm-krb5-include-dir)
-		;;
-	    yes)
-		;;
-	    *)
-		rlm_krb5_include_dir="$withval"
-		;;
-	  esac ]
-	)
+	AC_PATH_PROG(krb5config, krb5-config, not-found, [${rlm_krb5_dir}/bin:${PATH}:/usr/bin:/usr/local/bin])
+	dnl #
+	dnl # If we can find krb5-config we can get the version of the library and determine
+	dnl # whether it's safe to enable threading.
+	dnl #
+	if test "krb5config" != "not-found"; then
+		AC_MSG_CHECKING([krb5-config CFLAGS])
+		SMART_CFLAGS=$($krb5config --cflags)
+		AC_MSG_RESULT(${SMART_CFLAGS})
 
-	smart_try_dir=$rlm_krb5_include_dir
-	FR_SMART_CHECK_INCLUDE(krb5.h)
-	if test "$ac_cv_header_krb5_h" != "yes"; then
-        fail="$fail krb5.h"
-	fi
+		AC_MSG_CHECKING([krb5-config LDFLAGS])
+		SMART_LIBS=$($krb5config --libs)
+		AC_MSG_RESULT(${SMART_LIBS})
 
-    dnl #
-    dnl # This lives in different places depending on the distro
-    dnl #
-    
-	FR_SMART_CHECK_INCLUDE([com_err.h])
-	if test "$ac_cv_header_com_err_h" != "yes"; then
-        FR_SMART_CHECK_INCLUDE([et/com_err.h])
-        if test "$ac_cv_header_et_com_err_h" != "yes"; then
-            fail="$fail com_err.h"
-	    else
-	        krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR "
-	    fi
-	fi
+		AC_MSG_CHECKING([krb5-config reported version])
+		krb5_version_raw=$($krb5config --version)
 
-	krb5libcrypto=
-	smart_try_dir=$rlm_krb5_lib_dir
-	FR_SMART_CHECK_LIB(k5crypto, krb5_encrypt_data)
-	if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then
-		krb5libcrypto="-lk5crypto"
-	fi
+		dnl # AWK originally from from https://github.com/hpc/lustre
+		krb5_version=$(echo "$krb5_version_raw" | head -n 1 | \
+			awk '{split($(4),v,"."); if (v@<:@"3"@:>@ == "") v@<:@"3"@:>@ = "0"; print v@<:@"1"@:>@v@<:@"2"@:>@v@<:@"3"@:>@ }')
+		AC_MSG_RESULT([${krb5_version_raw} ($krb5_version)])
 
-	if test "x$krb5libcrypto" = x; then
-		FR_SMART_CHECK_LIB(crypto, DH_new)
-		if test "x$ac_cv_lib_crypto_DH_new" = xyes; then
-			krb5libcrypto="-lcrypto"
-		fi
-	fi
+		AC_MSG_CHECKING([krb5-config reported vendor])
+		krb5_vendor=$($krb5config --vendor)
+		AC_MSG_RESULT([${krb5_vendor}])
 
-	if test "x$krb5libcrypto" = x; then
-		AC_MSG_WARN([neither krb5 'k5crypto' nor 'crypto' libraries are found!])
-	fi
-	
-	FR_SMART_CHECK_LIB(com_err, set_com_err_hook)
-	if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then
-		AC_MSG_WARN([the comm_err library isn't found!])
-	fi
-	
-	dnl Only the heimdal version of the library has this function
-	FR_SMART_CHECK_LIB(krb5, krb5_verify_user_opt)
-	if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then
-        krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5"
+		AC_MSG_CHECKING([canonical API type])
+		if test "$krb5_vendor" = "Massachusetts Institute of Technology" || \
+			echo "$krb5_vendor" | grep -i 'MIT' > /dev/null 2>&1 ; then
+			AC_MSG_RESULT([MIT])
+
+			if test "$krb5_version" -le 1114 > /dev/null 2>&1; then
+				krb5threadsafe=no
+				AC_MSG_NOTICE([marking libkrb5 as non-threadsafe due to defects in MIT libkrb5 <= 1.11.4])
+			fi
+		else
+			krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5"
+			AC_MSG_RESULT([HEIMDAL])
+		fi
 	else
-	    FR_SMART_CHECK_LIB(krb5, krb5_get_init_creds_password)
-	    if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then
-		    fail="$fail krb5"
-	    fi
+		smart_try_dir="$rlm_krb5_dir/include"
+		FR_SMART_CHECK_INCLUDE(krb5.h)
+		if test "$ac_cv_header_krb5_h" != "yes"; then
+		fail="$fail krb5.h"
+		fi
+
+		dnl #
+		dnl # This lives in different places depending on the distro
+		dnl #
+
+		FR_SMART_CHECK_INCLUDE([com_err.h])
+		if test "$ac_cv_header_com_err_h" != "yes"; then
+		FR_SMART_CHECK_INCLUDE([et/com_err.h])
+		if test "$ac_cv_header_et_com_err_h" != "yes"; then
+		    fail="$fail com_err.h"
+		    else
+			krb5mod_cflags="$krb5mod_cflags -DET_COMM_ERR "
+		    fi
+		fi
+
+		krb5libcrypto=
+		smart_try_dir="$rlm_krb5_dir/lib"
+		FR_SMART_CHECK_LIB(k5crypto, krb5_encrypt_data)
+		if test "x$ac_cv_lib_k5crypto_krb5_encrypt_data" = xyes; then
+			krb5libcrypto="-lk5crypto"
+		fi
+
+		if test "x$krb5libcrypto" = x; then
+			FR_SMART_CHECK_LIB(crypto, DH_new)
+			if test "x$ac_cv_lib_crypto_DH_new" = xyes; then
+				krb5libcrypto="-lcrypto"
+			fi
+		fi
+
+		if test "x$krb5libcrypto" = x; then
+			AC_MSG_WARN([neither krb5 'k5crypto' nor 'crypto' libraries are found!])
+		fi
+
+		FR_SMART_CHECK_LIB(com_err, set_com_err_hook)
+		if test "x$ac_cv_lib_com_err_set_com_err_hook" != xyes; then
+			AC_MSG_WARN([the comm_err library isn't found!])
+		fi
+
+		dnl Only the heimdal version of the library has this function
+		FR_SMART_CHECK_LIB(krb5, krb5_verify_user_opt)
+		if test "x$ac_cv_lib_krb5_krb5_verify_user_opt" == xyes; then
+		krb5mod_cflags="$krb5mod_cflags -DHEIMDAL_KRB5"
+		else
+		    FR_SMART_CHECK_LIB(krb5, krb5_get_init_creds_password)
+		    if test "x$ac_cv_lib_krb5_krb5_get_init_creds_password" != xyes; then
+			    fail="$fail krb5"
+		    fi
+		fi
+
 	fi
-		
-	krb5threadsafe=
-	FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe)
-	if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then
-        AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[return krb5_is_thread_safe() ? 0 : 1]])],
-                      [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])])
+
+	dnl #
+	dnl # Only check if version checks have not found kerberos to be thread unsafe
+	dnl #
+	if test "$krb5threadsafe" == ""; then
+		krb5threadsafe=
+		FR_SMART_CHECK_LIB(krb5, krb5_is_thread_safe)
+
+		if test "x$ac_cv_lib_krb5_krb5_is_thread_safe" == xyes; then
+		AC_RUN_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[return krb5_is_thread_safe() ? 0 : 1]])],
+			      [krb5threadsafe="-DKRB5_IS_THREAD_SAFE"], [AC_MSG_WARN([[libkrb5 is not threadsafe]])])
+		fi
 	fi
 
 	targetname=modname
@@ -117,7 +149,7 @@ if test x"$fail" != x""; then
 	fi
 fi
 
-mod_ldflags="${krb5libcrypto} ${SMART_LIBS}"
+mod_ldflags="${krb5mod_ldflags} ${krb5libcrypto} ${SMART_LIBS}"
 mod_cflags="${krb5mod_cflags} ${krb5threadsafe} ${SMART_CFLAGS}"
 
 AC_SUBST(mod_ldflags)
diff --git a/src/modules/rlm_krb5/rlm_krb5.c b/src/modules/rlm_krb5/rlm_krb5.c
index cbe5a98f4f..14301a0872 100644
--- a/src/modules/rlm_krb5/rlm_krb5.c
+++ b/src/modules/rlm_krb5/rlm_krb5.c
@@ -39,31 +39,6 @@ RCSID("$Id$")
 #  include <com_err.h>
 #endif
 
-/*
- *  Work around bug in krb5_copy_context which attempts to copy the list
- *  of tgs_kytpes and tkt_ktypes associated with a context... except by
- *  default the pointers to those lists are NULL, and so it SEGVs
- *
- *  The functions sigs below are not provided by krb5.h, but are available
- *  in the library.
- */
-#if !defined(HEIMDAL_KRB5) && defined(KRB5_IS_THREAD_SAFE)
-krb5_error_code
-krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *etypes);
-
-krb5_error_code
-krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes);
-
-krb5_error_code
-krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes);
-
-krb5_error_code
-krb5_set_default_tgs_ktypes(krb5_context context, const krb5_enctype *etypes);
-
-void
-krb5_free_ktypes(krb5_context context, krb5_enctype *val);
-#endif
-
 /** Instance configuration for rlm_krb5
  *
  * Holds the configuration and preparsed data for a instance of rlm_krb5.
@@ -258,23 +233,6 @@ static int krb5_instantiate(CONF_SECTION *conf, void *instance)
 
 	krb5_verify_init_creds_opt_init(inst->vic_options);
 	krb5_verify_init_creds_opt_set_ap_req_nofail(inst->vic_options, true);
-
-#  ifdef KRB5_IS_THREAD_SAFE
-	/*
-	 *	Explicitly set enctypes to work around bug in krb5_copy_context
-	 */
-	{
-		krb5_enctype *enctypes;
-
-		krb5_get_default_in_tkt_ktypes(inst->context, &enctypes);
-		krb5_set_default_in_tkt_ktypes(inst->context, enctypes);
-		krb5_free_ktypes(inst->context, enctypes);
-
-		krb5_get_tgs_ktypes(inst->context, inst->server, &enctypes);
-		krb5_set_default_tgs_ktypes(inst->context, enctypes);
-		krb5_free_ktypes(inst->context, enctypes);
-	}
-#  endif
 #endif
 
 	return 0;
-- 
2.47.3