freebsd9: support both WAF MIT krb5 build and autoconf build against MIT krb5

System-provided Heimdal Kerberos in FreeBSD 9 lacks proper support for parsing MS PAC.
This leaves us with MIT krb5 package from ports or embedded Heimdal in source4.
MIT krb5 from ports is 1.9.2, it supports all needed features for AD support in smbd,
as well as WAF MIT krb5 build. In order to use it, one needs to install 'krb5' package.

Autoconf build:
  --with-krb5=/usr/local

WAF build:
  --with-system-mitkrb5 /usr/local

or otherwise krb5-config from system Heimdal will overtake and break the detection, leaving
you with a mixture of Kerberos libraries from different locations.

WAF build accepts multiple paths as sub-arguments of the --with-system-mitkrb5 and searches
through them for krb5-config, i.e. /usr/local /usr/kerberos ...

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Mon May 28 23:40:30 CEST 2012 on sn-devel-104

source3/m4/aclocal.m4

@@ -412,6 +412,7 @@ AC_DEFUN(LIB_REMOVE_USR_LIB,[
     -Wl,-rpath-Wl,/usr/lib/) l="";;
     -Wl,-rpath-Wl,/usr/lib64) l="";;
     -Wl,-rpath-Wl,/usr/lib64/) l="";;
+    -rpath=/usr/lib:*) l="-rpath=${i#-rpath=*:}";;
     *)
     	s=" "
         if test x"[$]ac_new_flags" = x""; then

wscript

@@ -17,6 +17,20 @@ samba_dist.DIST_BLACKLIST('.gitignore .bzrignore')
 # install in /usr/local/samba by default
 Options.default_prefix = '/usr/local/samba'
 
+# This callback optionally takes a list of paths as arguments:
+# --with-system_mitkrb5 /path/to/krb5 /another/path
+def system_mitkrb5_callback(option, opt, value, parser):
+    setattr(parser.values, option.dest, True)
+    value = []
+    for arg in parser.rargs:
+        # stop on --foo like options
+        if arg[:2] == "--" and len(arg) > 2:
+            break
+        value.append(arg)
+    if len(value)>0:
+        del parser.rargs[:len(value)]
+        setattr(parser.values, option.dest, value)
+
 def set_options(opt):
     opt.BUILTIN_DEFAULT('NONE')
     opt.PRIVATE_EXTENSION_DEFAULT('samba4')
@@ -33,8 +47,9 @@ def set_options(opt):
     opt.RECURSE('lib/util')
 
     opt.add_option('--with-system-mitkrb5',
-                   help='enable system MIT krb5 build (includes Samba 4 client and Samba 3 code base)',
-                   action='store_true', dest='with_system_mitkrb5', default=False)
+                   help='enable system MIT krb5 build (includes Samba 4 client and Samba 3 code base).'+
+                        'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config',
+                   action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False)
 
     opt.add_option('--without-ad-dc',
                    help='disable AD DC functionality (enables Samba 4 client and Samba 3 code base). Requires system MIT krb5',

wscript_configure_system_mitkrb5

@@ -13,17 +13,23 @@ def krb5_define_syslib(conf, lib, deps):
 
 Logs.info("Looking for kerberos features")
 conf.find_program('krb5-config.heimdal', var='HEIMDAL_KRB5_CONFIG')
-conf.find_program('krb5-config', var='KRB5_CONFIG')
+
+if isinstance(Options.options.with_system_mitkrb5, list):
+    path_krb5_config = [x+'/bin' for x in Options.options.with_system_mitkrb5]
+else:
+    path_krb5_config = None
+
+conf.find_program('krb5-config', path_list=path_krb5_config, var='KRB5_CONFIG')
 if conf.env.KRB5_CONFIG:
-    conf.check_cfg(path="krb5-config", args="--cflags --libs",
+    conf.check_cfg(path=conf.env.KRB5_CONFIG, args="--cflags --libs",
                package="", uselib_store="KRB5")
     krb5_define_syslib(conf, "krb5", conf.env['LIB_KRB5'])
-    for lib in conf.env['LIB_KRB5']:
-        krb5_define_syslib(conf, lib, lib)
 
-    conf.check_cfg(path="krb5-config", args="--cflags --libs",
+    conf.check_cfg(path=conf.env.KRB5_CONFIG, args="--cflags --libs",
                package="gssapi", uselib_store="GSSAPI")
     krb5_define_syslib(conf, "gssapi", conf.env['LIB_GSSAPI'])
+    if 'gssapi_krb5' in conf.env['LIB_GSSAPI']:
+        krb5_define_syslib(conf, "gssapi_krb5", conf.env['LIB_GSSAPI'])
 
     vendor = conf.cmd_and_log("%(path)s --vendor" % dict(path=conf.env.KRB5_CONFIG), dict())
     conf.env.KRB5_VENDOR = vendor.strip().lower()
@@ -49,9 +55,14 @@ conf.CHECK_FUNCS_IN('krb5_encrypt_data', 'k5crypto')
 conf.CHECK_FUNCS_IN('des_set_key','crypto')
 conf.CHECK_FUNCS_IN('copy_Authenticator', 'asn1')
 conf.CHECK_FUNCS_IN('roken_getaddrinfo_hostspec', 'roken')
-if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
-   conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
+
+if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi gssapi_krb5'):
     have_gssapi=True
+
+if not have_gssapi:
+    Logs.error("ERROR: WAF build with MIT Krb5 requires working GSSAPI implementation")
+    sys.exit(1)
+
 conf.CHECK_FUNCS_IN('''
        gss_wrap_iov
        gss_krb5_import_cred
@@ -62,7 +73,7 @@ conf.CHECK_FUNCS_IN('''
        gsskrb5_extract_authz_data_from_sec_context
        gss_krb5_export_lucid_sec_context
        gss_import_cred gss_export_cred
-       ''', 'gssapi gssapi_krb5 krb5')
+       ''', 'gssapi gssapi_krb5')
 conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
 conf.CHECK_FUNCS('''
        krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes