From: neilbrown <neilbrown>
Date: Fri, 26 Aug 2005 02:04:40 +0000 (+0000)
Subject: 	Add option to set rpcsec_gss debugging level (if available)
X-Git-Tag: nfs-utils-1-0-7-post3^0
X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=commitdiff_plain;h=651b5d3cf5428cbf1d2cd3ae572453af249bef1e

	Add option to set rpcsec_gss debugging level (if available)

	Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
	libraries.  Note that there are still run-time issues preventing
	this from working when shared libraries for libgssapi and librpcsecgss
	are used.
---

diff --git a/ChangeLog b/ChangeLog
index 7f98cdf..cf0a254 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
+	Add option to set rpcsec_gss debugging level (if available)
+
+	Changes to allow gssd/svcgssd to build when using Hiemdal Kerberos
+	libraries.  Note that there are still run-time issues preventing
+	this from working when shared libraries for libgssapi and librpcsecgss
+	are used.
+	
 2005-08-26 Kevin Coffman <kwc@citi.umich.edu>
 	Remove the rpcsec_gss code and rely on an external library instead.
 
diff --git a/configure b/configure
index 141232e..4127631 100755
--- a/configure
+++ b/configure
@@ -2006,6 +2006,91 @@ fi
     echo "configure: warning: Using $KRBDIR instead of requested value of $krb5_with for Kerberos!" 1>&2
   fi
 
+      echo $ac_n "checking for authgss_create_default in -lrpcsecgss""... $ac_c" 1>&6
+echo "configure:2011: checking for authgss_create_default in -lrpcsecgss" >&5
+ac_lib_var=`echo rpcsecgss'_'authgss_create_default | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lrpcsecgss $KRBLIB $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2019 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char authgss_create_default();
+
+int main() {
+authgss_create_default()
+; return 0; }
+EOF
+if { (eval echo configure:2030: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  librpcsecgss=1
+else
+  echo "$ac_t""no" 1>&6
+{ echo "configure: error: librpcsecgss needed for nfsv4 support" 1>&2; exit 1; }
+fi
+
+  echo $ac_n "checking for authgss_set_debug_level in -lrpcsecgss""... $ac_c" 1>&6
+echo "configure:2052: checking for authgss_set_debug_level in -lrpcsecgss" >&5
+ac_lib_var=`echo rpcsecgss'_'authgss_set_debug_level | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  ac_save_LIBS="$LIBS"
+LIBS="-lrpcsecgss $KRBLIB $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2060 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char authgss_set_debug_level();
+
+int main() {
+authgss_set_debug_level()
+; return 0; }
+EOF
+if { (eval echo configure:2071: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=yes"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  cat >> confdefs.h <<\EOF
+#define HAVE_AUTHGSS_SET_DEBUG_LEVEL 1
+EOF
+
+else
+  echo "$ac_t""no" 1>&6
+fi
+
+
   
   
   
@@ -2016,17 +2101,17 @@ for ac_hdr in com_err.h
 do
 ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:2020: checking for $ac_hdr" >&5
+echo "configure:2105: checking for $ac_hdr" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 2025 "configure"
+#line 2110 "configure"
 #include "confdefs.h"
 #include <$ac_hdr>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2030: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2115: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -2056,17 +2141,17 @@ for ac_hdr in et/com_err.h
 do
 ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:2060: checking for $ac_hdr" >&5
+echo "configure:2145: checking for $ac_hdr" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 2065 "configure"
+#line 2150 "configure"
 #include "confdefs.h"
 #include <$ac_hdr>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2070: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2155: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -2096,12 +2181,12 @@ done
 for ac_func in innetgr
 do
 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:2100: checking for $ac_func" >&5
+echo "configure:2185: checking for $ac_func" >&5
 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 2105 "configure"
+#line 2190 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char $ac_func(); below.  */
@@ -2124,7 +2209,7 @@ $ac_func();
 
 ; return 0; }
 EOF
-if { (eval echo configure:2128: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2213: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_$ac_func=yes"
 else
@@ -2150,7 +2235,7 @@ done
 
 
             echo $ac_n "checking size of short""... $ac_c" 1>&6
-echo "configure:2154: checking size of short" >&5
+echo "configure:2239: checking size of short" >&5
    if eval "test \"`echo '$''{'ac_cv_sizeof_short'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2158,7 +2243,7 @@ else
     { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
 else
   cat > conftest.$ac_ext <<EOF
-#line 2162 "configure"
+#line 2247 "configure"
 #include "confdefs.h"
 #include <stdio.h>
      #include <sys/types.h>
@@ -2170,7 +2255,7 @@ else
       exit(0);
     }
 EOF
-if { (eval echo configure:2174: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2259: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
 then
   ac_cv_sizeof_short=`cat conftestval`
 else
@@ -2191,7 +2276,7 @@ EOF
 
           
             echo $ac_n "checking size of int""... $ac_c" 1>&6
-echo "configure:2195: checking size of int" >&5
+echo "configure:2280: checking size of int" >&5
    if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2199,7 +2284,7 @@ else
     { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
 else
   cat > conftest.$ac_ext <<EOF
-#line 2203 "configure"
+#line 2288 "configure"
 #include "confdefs.h"
 #include <stdio.h>
      #include <sys/types.h>
@@ -2211,7 +2296,7 @@ else
       exit(0);
     }
 EOF
-if { (eval echo configure:2215: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2300: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
 then
   ac_cv_sizeof_int=`cat conftestval`
 else
@@ -2232,7 +2317,7 @@ EOF
 
           
             echo $ac_n "checking size of long""... $ac_c" 1>&6
-echo "configure:2236: checking size of long" >&5
+echo "configure:2321: checking size of long" >&5
    if eval "test \"`echo '$''{'ac_cv_sizeof_long'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2240,7 +2325,7 @@ else
     { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
 else
   cat > conftest.$ac_ext <<EOF
-#line 2244 "configure"
+#line 2329 "configure"
 #include "confdefs.h"
 #include <stdio.h>
      #include <sys/types.h>
@@ -2252,7 +2337,7 @@ else
       exit(0);
     }
 EOF
-if { (eval echo configure:2256: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2341: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
 then
   ac_cv_sizeof_long=`cat conftestval`
 else
@@ -2273,7 +2358,7 @@ EOF
 
           
             echo $ac_n "checking size of size_t""... $ac_c" 1>&6
-echo "configure:2277: checking size of size_t" >&5
+echo "configure:2362: checking size of size_t" >&5
    if eval "test \"`echo '$''{'ac_cv_sizeof_size_t'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2281,7 +2366,7 @@ else
     { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; }
 else
   cat > conftest.$ac_ext <<EOF
-#line 2285 "configure"
+#line 2370 "configure"
 #include "confdefs.h"
 #include <stdio.h>
      #include <sys/types.h>
@@ -2293,7 +2378,7 @@ else
       exit(0);
     }
 EOF
-if { (eval echo configure:2297: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:2382: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
 then
   ac_cv_sizeof_size_t=`cat conftestval`
 else
diff --git a/utils/gssd/context_heimdal.c b/utils/gssd/context_heimdal.c
index 27c44a3..edd4dfc 100644
--- a/utils/gssd/context_heimdal.c
+++ b/utils/gssd/context_heimdal.c
@@ -37,9 +37,11 @@
 #include <syslog.h>
 #include <string.h>
 #include <errno.h>
-#include <gssapi.h>
 #include <krb5.h>
+#include <gssapi.h>	/* Must use the heimdal copy! */
+#ifdef HAVE_COM_ERR_H
 #include <com_err.h>
+#endif
 #include "err_util.h"
 #include "gss_oids.h"
 #include "write_bytes.h"
@@ -83,9 +85,14 @@ int write_heimdal_enc_key(char **p, char *end, gss_ctx_id_t ctx)
 	}
 
 	memset(&enc_key, 0, sizeof(enc_key));
-	printerr(1, "WARN: write_heimdal_enc_key: "
-		    "overriding heimdal keytype\n");
-	enc_key.keytype = 4 /* XXX XXX XXX XXX key->keytype */;
+	enc_key.keytype = key->keytype;
+	/* XXX current kernel code only handles des-cbc-raw  (4) */
+	if (enc_key.keytype != 4) {
+		printerr(1, "WARN: write_heimdal_enc_key: "
+			    "overriding heimdal keytype (%d => %d)\n",
+			 enc_key.keytype, 4);
+		enc_key.keytype = 4;
+	}
 	enc_key.keyvalue.length = key->keyvalue.length;
 	if ((enc_key.keyvalue.data =
 				calloc(1, enc_key.keyvalue.length)) == NULL) {
@@ -135,9 +142,13 @@ int write_heimdal_seq_key(char **p, char *end, gss_ctx_id_t ctx)
 		goto out_err_free_context;
 	}
 
-	printerr(1, "WARN: write_heimdal_seq_key: "
-		    "overriding heimdal keytype\n");
-	key->keytype = 4;	/* XXX XXX XXX XXX XXX */
+	/* XXX current kernel code only handles des-cbc-raw  (4) */
+	if (key->keytype != 4) {
+		printerr(1, "WARN: write_heimdal_seq_key: "
+			    "overriding heimdal keytype (%d => %d)\n",
+			 key->keytype, 4);
+		key->keytype = 4;
+	}
 
 	if (write_heimdal_keyblock(p, end, key)) {
 		goto out_err_free_key;
diff --git a/utils/gssd/gss_oids.h b/utils/gssd/gss_oids.h
index 850c013..8b0a352 100644
--- a/utils/gssd/gss_oids.h
+++ b/utils/gssd/gss_oids.h
@@ -32,7 +32,6 @@
 #define _GSS_OIDS_H_
 
 #include <sys/types.h>
-#include <gssapi/gssapi.h>
 
 extern gss_OID_desc krb5oid;
 extern gss_OID_desc spkm3oid;
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index 7f28320..8031d48 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -36,6 +36,8 @@
 
 */
 
+#include "config.h"
+
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <rpc/rpc.h>
@@ -74,7 +76,7 @@ sig_hup(int signal)
 static void
 usage(char *progname)
 {
-	fprintf(stderr, "usage: %s [-f] [-v] [-p pipefsdir] [-k keytab]\n",
+	fprintf(stderr, "usage: %s [-f] [-v] [-r] [-p pipefsdir] [-k keytab]\n",
 		progname);
 	exit(1);
 }
@@ -84,11 +86,12 @@ main(int argc, char *argv[])
 {
 	int fg = 0;
 	int verbosity = 0;
+	int rpc_verbosity = 0;
 	int opt;
 	extern char *optarg;
 	char *progname;
 
-	while ((opt = getopt(argc, argv, "fvmp:k:")) != -1) {
+	while ((opt = getopt(argc, argv, "fvrmp:k:")) != -1) {
 		switch (opt) {
 			case 'f':
 				fg = 1;
@@ -99,6 +102,9 @@ main(int argc, char *argv[])
 			case 'v':
 				verbosity++;
 				break;
+			case 'r':
+				rpc_verbosity++;
+				break;
 			case 'p':
 				strncpy(pipefsdir, optarg, sizeof(pipefsdir));
 				if (pipefsdir[sizeof(pipefsdir)-1] != '\0')
@@ -125,6 +131,13 @@ main(int argc, char *argv[])
 		progname = argv[0];
 
 	initerr(progname, verbosity, fg);
+#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL
+	authgss_set_debug_level(rpc_verbosity);
+#else
+        if (rpc_verbosity > 0)
+		printerr(0, "Warning: rpcsec_gss library does not "
+			    "support setting debug level\n");
+#endif
 
 	if (!fg && daemon(0, 0) < 0)
 		errx(1, "fork");
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index d8f9a0f..01404d1 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -6,7 +6,7 @@
 .SH NAME
 rpc.gssd \- rpcsec_gss daemon
 .SH SYNOPSIS
-.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v]"
+.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v] [-r]"
 .SH DESCRIPTION
 The rpcsec_gss protocol gives a means of using the gss-api generic security
 api to provide security for protocols using rpc (in particular, nfs).  Before
@@ -50,6 +50,10 @@ where to look for the rpc_pipefs filesystem.  The default value is
 .TP
 .B -v
 Increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -r
+If the rpcsec_gss library supports setting debug level,
+increases the verbosity of the output (can be specified multiple times).
 .SH SEE ALSO
 .BR rpc.svcgssd(8)
 .SH AUTHORS
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index d29b839..353a93e 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -131,7 +131,7 @@ static int select_krb5_ccache(const struct dirent *d);
 static int gssd_find_existing_krb5_ccache(uid_t uid, struct dirent **d);
 static int gssd_get_single_krb5_cred(krb5_context context,
 		krb5_keytab kt, struct gssd_k5_kt_princ *ple);
-static int gssd_have_realm_ple(krb5_data *realm);
+static int gssd_have_realm_ple(void *realm);
 static int gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt,
 		char *kt_name);
 
@@ -355,7 +355,7 @@ gssd_get_single_krb5_cred(krb5_context context,
 	krb5_get_init_creds_opt_set_tkt_life(&options, 5*60);
 #endif
         if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ,
-	                                  kt, 0, 0, &options))) {
+	                                  kt, 0, NULL, &options))) {
 		char *pname;
 		if ((krb5_unparse_name(context, ple->princ, &pname))) {
 			pname = NULL;
@@ -364,7 +364,11 @@ gssd_get_single_krb5_cred(krb5_context context,
 			    "principal '%s' from keytab '%s'\n",
 			 error_message(code),
 			 pname ? pname : "<unparsable>", kt_name);
+#ifdef HAVE_KRB5
 		if (pname) krb5_free_unparsed_name(context, pname);
+#else
+		if (pname) free(pname);
+#endif
 		goto out;
 	}
 
@@ -416,13 +420,22 @@ gssd_get_single_krb5_cred(krb5_context context,
  *	1 => found ple for given realm
  */
 static int
-gssd_have_realm_ple(krb5_data *realm)
+gssd_have_realm_ple(void *r)
 {
 	struct gssd_k5_kt_princ *ple;
+#ifdef HAVE_KRB5
+	krb5_data *realm = (krb5_data *)r;
+#else
+	char *realm = (char *)r;
+#endif
 
 	for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) {
+#ifdef HAVE_KRB5
 		if ((realm->length == strlen(ple->realm)) &&
 		    (strncmp(realm->data, ple->realm, realm->length) == 0)) {
+#else
+		if (strcmp(realm, ple->realm) == 0) {
+#endif
 		    return 1;
 		}
 	}
@@ -472,16 +485,27 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 		}
 		printerr(2, "Processing keytab entry for principal '%s'\n",
 			 pname);
+#ifdef HAVE_KRB5
 		if ( (kte.principal->data[0].length == GSSD_SERVICE_NAME_LEN) &&
 		     (strncmp(kte.principal->data[0].data, GSSD_SERVICE_NAME,
 			      GSSD_SERVICE_NAME_LEN) == 0) &&
-		     (!gssd_have_realm_ple(&kte.principal->realm)) ) {
+#else
+		if ( (strlen(kte.principal->name.name_string.val[0]) == GSSD_SERVICE_NAME_LEN) &&
+		     (strncmp(kte.principal->name.name_string.val[0], GSSD_SERVICE_NAME,
+			      GSSD_SERVICE_NAME_LEN) == 0) &&
+			      
+#endif
+		     (!gssd_have_realm_ple((void *)&kte.principal->realm)) ) {
 			printerr(2, "We will use this entry (%s)\n", pname);
 			ple = malloc(sizeof(struct gssd_k5_kt_princ));
 			if (ple == NULL) {
 				printerr(0, "ERROR: could not allocate storage "
 					    "for principal list entry\n");
+#ifdef HAVE_KRB5
 				krb5_free_unparsed_name(context, pname);
+#else
+				free(pname);
+#endif
 				retval = ENOMEM;
 				goto out;
 			}
@@ -490,13 +514,21 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 			ple->ccname = NULL;
 			ple->endtime = 0;
 			if ((ple->realm =
+#ifdef HAVE_KRB5
 				strndup(kte.principal->realm.data,
 					kte.principal->realm.length))
+#else
+				strdup(kte.principal->realm))
+#endif
 					== NULL) {
 				printerr(0, "ERROR: %s while copying realm to "
 					    "principal list entry\n",
 					 "not enough memory");
+#ifdef HAVE_KRB5
 				krb5_free_unparsed_name(context, pname);
+#else
+				free(pname);
+#endif
 				retval = ENOMEM;
 				goto out;
 			}
@@ -505,7 +537,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 				printerr(0, "ERROR: %s while copying principal "
 					    "to principal list entry\n",
 					error_message(code));
+#ifdef HAVE_KRB5
 				krb5_free_unparsed_name(context, pname);
+#else
+				free(pname);
+#endif
 				retval = code;
 				goto out;
 			}
@@ -520,7 +556,11 @@ gssd_process_krb5_keytab(krb5_context context, krb5_keytab kt, char *kt_name)
 			printerr(2, "We will NOT use this entry (%s)\n",
 				pname);
 		}
+#ifdef HAVE_KRB5
 		krb5_free_unparsed_name(context, pname);
+#else
+		free(pname);
+#endif
 	}
 
 	if ((code = krb5_kt_end_seq_get(context, kt, &cursor))) {
diff --git a/utils/svcgssd/svcgssd.c b/utils/svcgssd/svcgssd.c
index 8e5cc99..3b5a981 100644
--- a/utils/svcgssd/svcgssd.c
+++ b/utils/svcgssd/svcgssd.c
@@ -37,6 +37,8 @@
 
 */
 
+#include "config.h"
+
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -154,7 +156,7 @@ sig_hup(int signal)
 static void
 usage(char *progname)
 {
-	fprintf(stderr, "usage: %s [-n] [-f] [-v]\n",
+	fprintf(stderr, "usage: %s [-n] [-f] [-v] [-r]\n",
 		progname);
 	exit(1);
 }
@@ -165,11 +167,12 @@ main(int argc, char *argv[])
 	int get_creds = 1;
 	int fg = 0;
 	int verbosity = 0;
+	int rpc_verbosity = 0;
 	int opt;
 	extern char *optarg;
 	char *progname;
 
-	while ((opt = getopt(argc, argv, "fvnp:")) != -1) {
+	while ((opt = getopt(argc, argv, "fvrnp:")) != -1) {
 		switch (opt) {
 			case 'f':
 				fg = 1;
@@ -180,6 +183,9 @@ main(int argc, char *argv[])
 			case 'v':
 				verbosity++;
 				break;
+			case 'r':
+				rpc_verbosity++;
+				break;
 			default:
 				usage(argv[0]);
 				break;
@@ -192,6 +198,13 @@ main(int argc, char *argv[])
 		progname = argv[0];
 
 	initerr(progname, verbosity, fg);
+#ifdef HAVE_AUTHGSS_SET_DEBUG_LEVEL
+	authgss_set_debug_level(rpc_verbosity);
+#else
+	if (rpc_verbosity > 0)
+		printerr(0, "Warning: rpcsec_gss library does not "
+			    "support setting debug level\n");
+#endif
 
 	if (!fg)
 		mydaemon(0, 0);
diff --git a/utils/svcgssd/svcgssd.man b/utils/svcgssd/svcgssd.man
index f17f772..a770662 100644
--- a/utils/svcgssd/svcgssd.man
+++ b/utils/svcgssd/svcgssd.man
@@ -6,7 +6,7 @@
 .SH NAME
 rpc.svcgssd \- server-side rpcsec_gss daemon
 .SH SYNOPSIS
-.B "rpc.svcgssd [-v] [-f] [-p pipefsdir]"
+.B "rpc.svcgssd [-v] [-r] [-f] [-p pipefsdir]"
 .SH DESCRIPTION
 The rpcsec_gss protocol gives a means of using the gss-api generic security
 api to provide security for protocols using rpc (in particular, nfs).  Before
@@ -27,6 +27,10 @@ in the foreground and sends output to stderr (as opposed to syslogd)
 .TP
 .B -v
 Increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -r
+If the rpcsec_gss library supports setting debug level,
+increases the verbosity of the output (can be specified multiple times).
 
 .SH SEE ALSO
 .BR rpc.gssd(8),